[PATCH] btrfs-progs: cmd-subvolume: set subvol_path to NULL after free

[PATCH] btrfs-progs: cmd-subvolume: set subvol_path to NULL after free

[Su Yue]

User reported that `btrfs subvolume show -u -- /mnt` causes double free.


Pointer subovl_path was freed in iterations but still keeps old value.
In the last iteration, error BTRFS_UTIL_ERROR_STOP_ITERATION returned,
then the double free of subvol_path happens in the out goto label.

Set subvol_path to NULL after each free() in the loop to fix the issue.

Links: https://github.com/kdave/btrfs-progs/issues/317
Signed-off-by: Su Yue <l@damenly.su>
---
 cmds/subvolume.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmds/subvolume.c b/cmds/subvolume.c
index f153cfa9..a6771d10 100644
--- a/cmds/subvolume.c
+++ b/cmds/subvolume.c
@@ -1117,6 +1117,7 @@ static int cmd_subvol_show(const struct cmd_struct *cmd, int argc, char **argv)
 				break;
 
 			free(subvol_path);
+			subvol_path = NULL;
 		}
 		btrfs_util_destroy_subvolume_iterator(iter);
 	} else {
-- 
2.29.2

Re: [PATCH] btrfs-progs: cmd-subvolume: set subvol_path to NULL after free

[David Sterba]

On Mon, Dec 07, 2020 at 05:07:55PM +0800, Su Yue wrote:
> User reported that `btrfs subvolume show -u -- /mnt` causes double free.
> 
> 
> Pointer subovl_path was freed in iterations but still keeps old value.
> In the last iteration, error BTRFS_UTIL_ERROR_STOP_ITERATION returned,
> then the double free of subvol_path happens in the out goto label.
> 
> Set subvol_path to NULL after each free() in the loop to fix the issue.
> 
> Links: https://github.com/kdave/btrfs-progs/issues/317
> Signed-off-by: Su Yue <l@damenly.su>

Thanks, added to devel.