The actions_add_trace_output() and actions_add_shell() functions leave the action list in an inconsistent state when strdup() fails. The actions_new() function increments self->len before returning a pointer to the new action slot, but if the subsequent strdup() allocation fails, the function returns an error without decrementing self->len back.
This leaves an action object in an invalid state within the list. When actions_destroy() or other functions iterate over the list using for_each_action(), they will access this invalid entry with uninitialized fields, potentially leading to undefined behavior. Fix this by decrementing self->len when strdup() fails, effectively returning the allocated slot back to the pool and maintaining list consistency even when memory allocation fails. Signed-off-by: Wander Lairson Costa <[email protected]> --- tools/tracing/rtla/src/actions.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tools/tracing/rtla/src/actions.c b/tools/tracing/rtla/src/actions.c index 2d153d5efdea2..4aaaedadcc42a 100644 --- a/tools/tracing/rtla/src/actions.c +++ b/tools/tracing/rtla/src/actions.c @@ -76,11 +76,13 @@ actions_add_trace_output(struct actions *self, const char *trace_output) if (!action) return -1; - self->present[ACTION_TRACE_OUTPUT] = true; action->type = ACTION_TRACE_OUTPUT; action->trace_output = strdup(trace_output); - if (!action->trace_output) + if (!action->trace_output) { + self->len--; // return the action object to the pool return -1; + } + self->present[ACTION_TRACE_OUTPUT] = true; return 0; } @@ -115,11 +117,13 @@ actions_add_shell(struct actions *self, const char *command) if (!action) return -1; - self->present[ACTION_SHELL] = true; action->type = ACTION_SHELL; action->command = strdup(command); - if (!action->command) + if (!action->command) { + self->len--; return -1; + } + self->present[ACTION_SHELL] = true; return 0; } -- 2.51.1
