Hiltjo Posthuma:
> I noticed a free() issue on an uninitialized pointer on a certain condition.
>
> To reproduce:
>
> mkdir -p /tmp/test /tmp/plop
> openrsync -rx /tmp/test/ /tmp/plop/
>
> Result:
>
> openrsync(3470) in free(): bogus pointer (double free?) 0x7f7ffffdcdc8
> Abort trap (core dumped)
>
> The patch below fixes it and simplifies the logic:
I agree. However, the (re)allocation of xdev also looks bogus.
How about this?
(Also, the realloc idiom is exactly the one the man page warns
against. Do we care here?)
Index: flist.c
===================================================================
RCS file: /cvs/src/usr.bin/rsync/flist.c,v
retrieving revision 1.27
diff -u -p -r1.27 flist.c
--- flist.c 2 Jun 2019 14:29:58 -0000 1.27
+++ flist.c 5 Jun 2019 22:15:10 -0000
@@ -808,7 +808,7 @@ flist_gen_dirent(struct sess *sess, char
FTSENT *ent;
struct flist *f;
size_t flsz = 0, stripdir;
- dev_t *xdev;
+ dev_t *xdev = NULL;
struct stat st;
cargv[0] = root;
@@ -931,7 +931,8 @@ flist_gen_dirent(struct sess *sess, char
!S_ISDIR(ent->fts_statp->st_mode))
continue;
- if ((xdev = malloc(sizeof(dev_t))) == NULL) {
+ if (xdev == NULL &&
+ (xdev = malloc(sizeof(dev_t))) == NULL) {
ERRX1("malloc");
goto out;
}
@@ -946,8 +947,8 @@ flist_gen_dirent(struct sess *sess, char
continue;
if (nxdev)
- if ((xdev = realloc(xdev, sizeof(dev_t))) ==
- NULL) {
+ if ((xdev = reallocarray(xdev, nxdev + 1,
+ sizeof(dev_t))) == NULL) {
ERRX1("realloc");
goto out;
}
@@ -1008,8 +1009,7 @@ flist_gen_dirent(struct sess *sess, char
rc = 1;
out:
fts_close(fts);
- if (sess->opts->one_file_system)
- free(xdev);
+ free(xdev);
return rc;
}
--
Christian "naddy" Weisgerber [email protected]
