From: Eryu Guan Date: Sat, 12 Oct 2013 15:47:52 +0000 (+0800) Subject: Btrfs-progs: check return value of realpath(3) X-Git-Tag: upstream/4.16.1~3068 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a7131ad1241470829fd5b836ce6cb6c74cdbef45;p=platform%2Fupstream%2Fbtrfs-progs.git Btrfs-progs: check return value of realpath(3) I hit a segfault when deleting a subvolume with very long name(>4096), it's because cmd_subvol_delete() calls strdup() and passes NULL as argument, which is returned by realpath(3). I used the following script to reproduce #!/bin/bash mnt=$1 i=1 path=$mnt/subvol_$i # Create very deep subvolumes while btrfs sub create $path;do ((i++)) path="$path/subvol_$i" done last_vol=$(dirname $path) dir=$(dirname $last_vol) vol=$(basename $last_vol) # Try to delete tha last one, this would get segfault pushd $dir btrfs sub delete $vol popd Fix it by checking return value of realpath(3), also fix the one in find_mount_root(). Signed-off-by: Eryu Guan Signed-off-by: David Sterba Signed-off-by: Chris Mason --- diff --git a/cmds-send.c b/cmds-send.c index 81b3e49..39110e7 100644 --- a/cmds-send.c +++ b/cmds-send.c @@ -63,6 +63,7 @@ int find_mount_root(const char *path, char **mount_root) int fd; struct mntent *ent; int len; + int ret; int longest_matchlen = 0; char *longest_match = NULL; @@ -95,10 +96,13 @@ int find_mount_root(const char *path, char **mount_root) return -ENOENT; } + ret = 0; *mount_root = realpath(longest_match, NULL); - free(longest_match); + if (!mount_root) + ret = -errno; - return 0; + free(longest_match); + return ret; } static int get_root_id(struct btrfs_send *s, const char *path, u64 *root_id) diff --git a/cmds-subvolume.c b/cmds-subvolume.c index 8832303..63c708e 100644 --- a/cmds-subvolume.c +++ b/cmds-subvolume.c @@ -236,6 +236,12 @@ again: } cpath = realpath(path, NULL); + if (!cpath) { + ret = errno; + fprintf(stderr, "ERROR: finding real path for '%s': %s\n", + path, strerror(errno)); + goto out; + } dupdname = strdup(cpath); dname = dirname(dupdname); dupvname = strdup(cpath);