[Libguestfs] [PATCH] daemon: readdir: fix invalid memory access on error

[Pino Toscano]

If "strdup (d->d_name)" fails with "i" > 0, then both "p" and
"ret->guestfs_int_dirent_list_val" are non-null pointers, but the latter
is no more valid (since "p" is the new realloc'ed buffer). Hence, trying
to free both will access to invalid memory.

Make sure to free only one of them, "p" if not null or
"ret->guestfs_int_dirent_list_val" otherwise.
---
 daemon/readdir.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/daemon/readdir.c b/daemon/readdir.c
index f0ddd21..e488f93 100644
--- a/daemon/readdir.c
+++ b/daemon/readdir.c
@@ -27,6 +27,17 @@
 #include "daemon.h"
 #include "actions.h"
 
+static void
+free_int_dirent_list (guestfs_int_dirent *p, size_t len)
+{
+  size_t i;
+
+  for (i = 0; i < len; ++i) {
+    free (p[i].name);
+  }
+  free (p);
+}
+
 guestfs_int_dirent_list *
 do_readdir (const char *path)
 {
@@ -64,8 +75,11 @@ do_readdir (const char *path)
     v.name = strdup (d->d_name);
     if (!p || !v.name) {
       reply_with_perror ("allocate");
-      free (ret->guestfs_int_dirent_list_val);
-      free (p);
+      if (p) {
+        free_int_dirent_list (p, i);
+      } else {
+        free_int_dirent_list (ret->guestfs_int_dirent_list_val, i);
+      }
       free (v.name);
       free (ret);
       closedir (dir);
-- 
1.9.3