From: Harald Hoyer Date: Mon, 8 Jun 2015 13:14:26 +0000 (+0200) Subject: util:bind_remount_recursive() fix "use after free" X-Git-Tag: v221~170^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F96%2Fhead;p=thirdparty%2Fsystemd.git util:bind_remount_recursive() fix "use after free" set_consume(done, x) consumes x with free(x) but mount(…, x, …) uses it afterwards. coverity CID 1299006 --- diff --git a/src/shared/util.c b/src/shared/util.c index 311acbb3499..1442301cd7f 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -4931,11 +4931,15 @@ int bind_remount_recursive(const char *prefix, bool ro) { while ((x = set_steal_first(todo))) { - r = set_consume(done, x); - if (r == -EEXIST) + r = set_put(done, x); + if (r == -EEXIST) { + free(x); continue; - if (r < 0) + } + if (r < 0) { + free(x); return r; + } /* Try to reuse the original flag set, but * don't care for errors, in case of @@ -4945,14 +4949,15 @@ int bind_remount_recursive(const char *prefix, bool ro) { orig_flags &= ~MS_RDONLY; if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0) { - /* Deal with mount points that are * obstructed by a later mount */ - if (errno != ENOENT) + if (errno != ENOENT) { + free(x); return -errno; + } } - + free(x); } } }