From: Francis Deslauriers <francis.deslauriers@efficios.com>
Date: Tue, 20 Aug 2019 03:21:57 +0000 (-0400)
Subject: Fix: sink.ctf.fs: possible use-after-free
X-Git-Url: http://git.efficios.com/?p=babeltrace.git;a=commitdiff_plain;h=3e83e4f2f656b3edee71cb33ce24bd3cf998f51c

Fix: sink.ctf.fs: possible use-after-free

Issue
=====
We might use of `trace` pointer after freeing it in the error path.

Solution
========
Move the `fclose()` call (and surroundings) before the `end` label as
the `fh` pointer is only initialized after the only possible `goto end`.

Reported-by: scan-build - Use of memory after it is freed
Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com>
Change-Id: I8f346b45a76ce976019931f9c63c20dd18a88d86
Reviewed-on: https://review.lttng.org/c/babeltrace/+/1968
Tested-by: jenkins <jenkins@lttng.org>
Reviewed-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Reviewed-by: Simon Marchi <simon.marchi@efficios.com>
---

diff --git a/src/plugins/ctf/fs-sink/fs-sink-trace.c b/src/plugins/ctf/fs-sink/fs-sink-trace.c
index 3d647d2d..1b0bf390 100644
--- a/src/plugins/ctf/fs-sink/fs-sink-trace.c
+++ b/src/plugins/ctf/fs-sink/fs-sink-trace.c
@@ -528,14 +528,6 @@ void fs_sink_trace_destroy(struct fs_sink_trace *trace)
 		trace->path = NULL;
 	}
 
-	g_string_free(trace->metadata_path, TRUE);
-	trace->metadata_path = NULL;
-
-	fs_sink_ctf_trace_destroy(trace->trace);
-	trace->trace = NULL;
-	g_free(trace);
-
-end:
 	if (fh) {
 		int ret = fclose(fh);
 
@@ -546,10 +538,18 @@ end:
 		}
 	}
 
+	g_string_free(trace->metadata_path, TRUE);
+	trace->metadata_path = NULL;
+
+	fs_sink_ctf_trace_destroy(trace->trace);
+	trace->trace = NULL;
+	g_free(trace);
+
 	if (tsdl) {
 		g_string_free(tsdl, TRUE);
 	}
 
+end:
 	return;
 }