ericonr
/
erm
mirror of https://github.com/ericonr/erm.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix UB with the path. 

- we were allocating plen+nlen+1 and accessing plen+nlen+1; the correct
  allocation size should have been plen+nlen+2, because it needed to fit
  the null byte and the slash
- printing buf after it's been added to queue gets into a race condition
  where it can be freed before it's printed
This commit is contained in:
Érico Nogueira 2021-10-03 01:02:26 -03:00
parent 948783245d
commit 0e80093346
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
remove.c
View File

@ -150,14 +150,14 @@ remove_dir:
n++;
size_t nlen = strlen(entry->d_name);
char *buf = malloc(plen + nlen + 1);
char *buf = malloc(plen + nlen + 2);
memcpy(buf, p->path, plen);
buf[plen] = '/';
memcpy(buf+plen+1, entry->d_name, nlen);
buf[plen+nlen+1] = '\0';
queue_add(q, buf, entry->d_type, p);
printf("adding to queue'%s'\n", buf);
queue_add(q, buf, entry->d_type, p);
}
/* this store doesn't need to be atomic, since we release the mutex below */
atomic_store_explicit(&p->rc, n, memory_order_relaxed);