In merge_words func, if REALLOC() fails, the input *dst will
be freed. If so, mpp->hwhandler| mpp->features|mpp->selector
may be set to NULL after calling merge_words func in
disassemble_map func. This may cause accessing freed memory
problem.
Here, we donot free *dst if REALLOC() fails in merge_words func.
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx>
Signed-off-by: Lixiaokeng <lixiaokeng@xxxxxxxxxx>
---
libmultipath/dmparser.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/libmultipath/dmparser.c b/libmultipath/dmparser.c
index c1031616..482e9d0e 100644
--- a/libmultipath/dmparser.c
+++ b/libmultipath/dmparser.c
@@ -26,13 +26,12 @@ merge_words(char **dst, const char *word)
dstlen = strlen(*dst);
len = dstlen + strlen(word) + 2;
- *dst = REALLOC(*dst, len);
+ p = REALLOC(*dst, len);
- if (!*dst) {
- free(p);
+ if (!p)
return 1;
- }
+ *dst = p;
p = *dst + dstlen;
*p = ' ';
++p;
--
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
