The function clean_up_cur_rule() calls in the loop, which can lead to double-free of pointers `G.cur_rule.envvar` and `G.cur_rule.ren_mov`. Added NULL checks and NULL assignment after free for correct checks.
Signed-off-by: Maks Mishin <[email protected]> --- util-linux/mdev.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/util-linux/mdev.c b/util-linux/mdev.c index e98d46743..4632e0d18 100644 --- a/util-linux/mdev.c +++ b/util-linux/mdev.c @@ -335,8 +335,15 @@ static void clean_up_cur_rule(void) { struct envmatch *e; - free(G.cur_rule.envvar); - free(G.cur_rule.ren_mov); + if (G.cur_rule.envvar != NULL) { + free(G.cur_rule.envvar); + G.cur_rule.envvar = NULL; + } + if (G.cur_rule.ren_mov != NULL) { + free(G.cur_rule.ren_mov); + G.cur_rule.ren_mov = NULL; + } + if (G.cur_rule.regex_compiled) regfree(&G.cur_rule.match); IF_FEATURE_MDEV_EXEC(free(G.cur_rule.r_cmd);) -- 2.30.2 _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
