From: Darrick J. Wong <djwong@xxxxxxxxxx>
Change the function declaration of unicrash_add to set the caller's
@new_entry to NULL if we detect an updated name entry and do not wish to
continue processing. This avoids a theoretical UAF if the unicrash_add
caller were to accidentally continue using the pointer.
This isn't an /actual/ UAF because the function formerly set @badflags
to zero, but let's be a little defensive.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
scrub/unicrash.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/scrub/unicrash.c b/scrub/unicrash.c
index fc1adb2caab..5a61d69705b 100644
--- a/scrub/unicrash.c
+++ b/scrub/unicrash.c
@@ -626,10 +626,11 @@ _("Unicode name \"%s\" in %s could be confused with \"%s\"."),
static void
unicrash_add(
struct unicrash *uc,
- struct name_entry *new_entry,
+ struct name_entry **new_entryp,
unsigned int *badflags,
struct name_entry **existing_entry)
{
+ struct name_entry *new_entry = *new_entryp;
struct name_entry *entry;
size_t bucket;
xfs_dahash_t hash;
@@ -652,7 +653,7 @@ unicrash_add(
entry->ino = new_entry->ino;
uc->buckets[bucket] = new_entry->next;
name_entry_free(new_entry);
- *badflags = 0;
+ *new_entryp = NULL;
return;
}
@@ -695,8 +696,8 @@ __unicrash_check_name(
return 0;
name_entry_examine(new_entry, &badflags);
- unicrash_add(uc, new_entry, &badflags, &dup_entry);
- if (badflags)
+ unicrash_add(uc, &new_entry, &badflags, &dup_entry);
+ if (new_entry && badflags)
unicrash_complain(uc, dsc, namedescr, new_entry, badflags,
dup_entry);
