libsupport: fix potental NULL pointer dereferences in quota functions

get_dq() function can fail when the memory allocation fails and so we
could end up dereferencing NULL pointer. Fix it.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
index dce077e..ec932d1 100644 (file)
--- a/lib/support/mkquota.c
+++ b/lib/support/mkquota.c
@@ -433,7 +433,8 @@ void quota_data_sub(quota_ctx_t qctx, struct ext2_inode_large *inode,
                dict = qctx->quota_dict[qtype];
                if (dict) {
                        dq = get_dq(dict, get_qid(inode, qtype));
-                       dq->dq_dqb.dqb_curspace -= space;
+                       if (dq)
+                               dq->dq_dqb.dqb_curspace -= space;
                }
        }
 }
@@ -460,7 +461,8 @@ void quota_data_inodes(quota_ctx_t qctx, struct ext2_inode_large *inode,
                dict = qctx->quota_dict[qtype];
                if (dict) {
                        dq = get_dq(dict, get_qid(inode, qtype));
-                       dq->dq_dqb.dqb_curinodes += adjust;
+                       if (dq)
+                               dq->dq_dqb.dqb_curinodes += adjust;
                }
        }
 }
@@ -533,6 +535,8 @@ static int scan_dquots_callback(struct dquot *dquot, void *cb_data)
        struct dquot *dq;
 
        dq = get_dq(quota_dict, dquot->dq_id);
+       if (!dq)
+               return -1;
        dq->dq_id = dquot->dq_id;
        dq->dq_flags |= DQF_SEEN;
 

diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
index 6cc4fb5..5910e63 100644 (file)
--- a/lib/support/quotaio_tree.c
+++ b/lib/support/quotaio_tree.c
@@ -601,7 +601,7 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
        __le32 *ref = (__le32 *) buf;
 
        if (!buf)
-               return 0;
+               return -1;
 
        read_blk(dquot->dq_h, blk, buf);
        if (depth == QT_TREEDEPTH - 1) {