From: Tomasz Blaszczak <tomasz.blaszczak@consult.red>
Date: Fri, 25 Jun 2021 10:04:49 +0000 (+0200)
Subject: Resize array in remove_from_array() and fix a crash
X-Git-Tag: lxc-5.0.0~151^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5364ae41aaa4718853b41dd0d312555867b990f1;p=thirdparty%2Flxc.git

Resize array in remove_from_array() and fix a crash

When an item is added to an array, then the array is realloc()ed (to size+1),
and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, allocated memory pointed by
the item (not the item itself) should be freed, successive items should
be left-shifted and the array realloc()ed again (size-1).

Additional changes:
- Initialize an array in list_all_containers().

Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>
---

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index b1be7e0ed..c533d9dd4 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2262,7 +2262,7 @@ static inline int container_cmp(struct lxc_container **first,
 
 static bool add_to_array(char ***names, char *cname, int pos)
 {
-	char **newnames = realloc(*names, (pos+1) * sizeof(char *));
+	char **newnames = (char**)realloc(*names, (pos+1) * sizeof(char *));
 	if (!newnames) {
 		ERROR("Out of memory");
 		return false;
@@ -2270,10 +2270,8 @@ static bool add_to_array(char ***names, char *cname, int pos)
 
 	*names = newnames;
 	newnames[pos] = strdup(cname);
-	if (!newnames[pos]) {
-		*names = (char**)realloc(*names, (pos) * sizeof(char *));
+	if (!newnames[pos])
 		return false;
-	}
 
 	/* Sort the array as we will use binary search on it. */
 	qsort(newnames, pos + 1, sizeof(char *),
@@ -2322,12 +2320,16 @@ static bool remove_from_array(char ***names, char *cname, int size)
 {
 	char **result = get_from_array(names, cname, size);
 	if (result != NULL) {
-		int i;
-		for (i = 0; (*names)[i] != *result && i < size; i++) {
-		}
+		size_t i = result - *names;
 		free(*result);
 		memmove(*names+i, *names+i+1, (size-i-1) * sizeof(char*));
-		*names = (char**)realloc(*names, (size-1) * sizeof(char *));
+		char **newnames = (char**)realloc(*names, (size-1) * sizeof(char *));
+		if (!newnames) {
+			ERROR("Out of memory");
+			return false;
+		}
+
+		*names = newnames;
 		return true;
 	}