[Devel] [PATCH] eliminate use after free in AcpiOsGetNextFilename()

Dean Nelson dnelson at redhat.com
Tue Nov 19 08:41:06 PST 2013


AcpiOsGetNextFilename() references temp_str in an unlikely error path, after
having freed the memory allocated for it.

Signed-off-by: Dean Nelson <dnelson at redhat.com>
---
 source/os_specific/service_layers/osunixdir.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source/os_specific/service_layers/osunixdir.c b/source/os_specific/service_layers/osunixdir.c
index 02b347d..ef2a924 100644
--- a/source/os_specific/service_layers/osunixdir.c
+++ b/source/os_specific/service_layers/osunixdir.c
@@ -239,14 +239,15 @@ AcpiOsGetNextFilename (
             strcat (temp_str, dir_entry->d_name);
 
             err = stat (temp_str, &temp_stat);
-            free (temp_str);
             if (err == -1)
             {
                 fprintf (stderr,
                     "Cannot stat file (should not happen) - %s\n",
                     temp_str);
+                free (temp_str);
                 return (NULL);
             }
+            free (temp_str);
 
             if ((S_ISDIR (temp_stat.st_mode)
                 && (ExternalInfo->RequestedFileType == REQUEST_DIR_ONLY))


More information about the Devel mailing list