debugfs: fix memory allocation failures when parsing journal_write arguments

Fix double-free issues when parsing an invalid journal_write command,
such as: "journal_write -b 12 -b BAD -b 42".

Addresses-Coverity-Bug: 1464571
Addresses-Coverity-Bug: 1464575
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c
index c25e894..a49bc36 100644 (file)
--- a/debugfs/do_journal.c
+++ b/debugfs/do_journal.c
@@ -556,15 +556,19 @@ void do_journal_write(int argc, char *argv[], int sci_idx EXT2FS_ATTR((unused)),
                switch (opt) {
                case 'b':
                        err = read_list(optarg, &blist, &bn);
-                       if (err)
+                       if (err) {
                                com_err(argv[0], err,
                                        "while reading block list");
+                               goto out;
+                       }
                        break;
                case 'r':
                        err = read_list(optarg, &rlist, &rn);
-                       if (err)
+                       if (err) {
                                com_err(argv[0], err,
                                        "while reading revoke list");
+                               goto out;
+                       }
                        break;
                case 'c':
                        flags |= JOURNAL_WRITE_NO_COMMIT;

diff --git a/debugfs/util.c b/debugfs/util.c
index fb05e89..be6b550 100644 (file)
--- a/debugfs/util.c
+++ b/debugfs/util.c
@@ -521,7 +521,7 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
        blk64_t *lst = *list;
        size_t ln = *len;
        char *tok, *p = str;
-       errcode_t retval;
+       errcode_t retval = 0;
 
        while ((tok = strtok(p, ","))) {
                blk64_t *l;
@@ -538,15 +538,17 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
                                return errno;
                } else if (*e != 0) {
                        retval = EINVAL;
-                       goto err;
+                       break;
                }
                if (y < x) {
                        retval = EINVAL;
-                       goto err;
+                       break;
                }
                l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1));
-               if (l == NULL)
-                       return ENOMEM;
+               if (l == NULL) {
+                       retval = ENOMEM;
+                       break;
+               }
                lst = l;
                for (; x <= y; x++)
                        lst[ln++] = x;
@@ -555,9 +557,6 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
 
        *list = lst;
        *len = ln;
-       return 0;
-err:
-       free(lst);
        return retval;
 }