From: David Sterba <dsterba@suse.com>
Date: Wed, 26 Aug 2015 11:34:39 +0000 (+0200)
Subject: btrfs-progs: fix use after free in replace start
X-Git-Tag: upstream/4.16.1~2061
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=bf3639dc625bf5b07a6f30f065fbfa1cfb349869;p=platform%2Fupstream%2Fbtrfs-progs.git

btrfs-progs: fix use after free in replace start

Commit "btrfs-progs: Add further checks to btrfs replace start command"
accesses device size just after its memory is freed.

Resolves-coverity-id: 1320425
Signed-off-by: David Sterba <dsterba@suse.com>
---

diff --git a/cmds-replace.c b/cmds-replace.c
index a980305..9ab8438 100644
--- a/cmds-replace.c
+++ b/cmds-replace.c
@@ -245,13 +245,13 @@ static int cmd_replace_start(int argc, char **argv)
 		for (i = 0; i < fi_args.num_devices; i++)
 			if (start_args.start.srcdevid == di_args[i].devid)
 				break;
+		srcdev_size = di_args[i].total_bytes;
 		free(di_args);
 		if (i == fi_args.num_devices) {
 			fprintf(stderr, "Error: '%s' is not a valid devid for filesystem '%s'\n",
 				srcdev, path);
 			goto leave_with_error;
 		}
-		srcdev_size = di_args[i].total_bytes;
 	} else if (is_block_device(srcdev) > 0) {
 		strncpy((char *)start_args.start.srcdev_name, srcdev,
 			BTRFS_DEVICE_PATH_NAME_MAX);