Fix use-after-free in delayed link processing (newc format)

During archiving, if some of the "delayed" hard link entries
happened to disappear on filesystem (or become unreadable) for
some reason (most probably race), the old code free()d the 'entry'
and continued with the loop;  the next loop though dereferenced
'entry' and crashed the archiver.

Per report from Coverity.

diff --git a/tar/write.c b/tar/write.c
index e15cc06ccfc4d9ec62ecd9799594df8c2519f852..c6e9fccc4550ea6e3bbcf669727604cd8064b5f0 100644 (file)
--- a/tar/write.c
+++ b/tar/write.c
@@ -540,8 +540,7 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
                        lafe_warnc(archive_errno(disk),
                            "%s", archive_error_string(disk));
                        bsdtar->return_value = 1;
-                       archive_entry_free(entry);
-                       continue;
+                       goto next_entry;
                }
 
                /*
@@ -559,13 +558,13 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
                                bsdtar->return_value = 1;
                        else
                                archive_read_close(disk);
-                       archive_entry_free(entry);
-                       continue;
+                       goto next_entry;
                }
 
                write_file(bsdtar, a, entry);
-               archive_entry_free(entry);
                archive_read_close(disk);
+next_entry:
+               archive_entry_free(entry);
                entry = NULL;
                archive_entry_linkify(bsdtar->resolver, &entry, &sparse_entry);
        }