From: Minwoo Im <minwoo.im@samsung.com>
Date: Wed, 24 Apr 2019 00:46:29 +0000 (+0100)
Subject: ioctl: Fix double-free in a loop of get_property
X-Git-Tag: v1.9~82^2~1
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=d16e1d2784a48c9b25e58a0e821c737670c6cdc8;p=users%2Fsagi%2Fnvme-cli.git

ioctl: Fix double-free in a loop of get_property

As it was reported, *pbar could be double-freed in case
get_property_helper() fails in the middle of the loop.

This issue was reported by Ken Heitke on:
  https://github.com/linux-nvme/nvme-cli/pull/471

Signed-off-by: Minwoo Im <minwoo.im@samsung.com>
---

diff --git a/nvme-ioctl.c b/nvme-ioctl.c
index 4cf7aebd..16fdc664 100644
--- a/nvme-ioctl.c
+++ b/nvme-ioctl.c
@@ -626,8 +626,10 @@ int nvme_get_properties(int fd, void **pbar)
 		err = get_property_helper(fd, offset, *pbar + offset, &advance);
 		if (!err)
 			ret = 0;
-		else
+		else {
 			free(*pbar);
+			break;
+		}
 	}
 
 	return ret;