From 3e83e4f2f656b3edee71cb33ce24bd3cf998f51c Mon Sep 17 00:00:00 2001 From: Francis Deslauriers Date: Mon, 19 Aug 2019 23:21:57 -0400 Subject: [PATCH] Fix: sink.ctf.fs: possible use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Issue ===== We might use of `trace` pointer after freeing it in the error path. Solution ======== Move the `fclose()` call (and surroundings) before the `end` label as the `fh` pointer is only initialized after the only possible `goto end`. Reported-by: scan-build - Use of memory after it is freed Signed-off-by: Francis Deslauriers Change-Id: I8f346b45a76ce976019931f9c63c20dd18a88d86 Reviewed-on: https://review.lttng.org/c/babeltrace/+/1968 Tested-by: jenkins Reviewed-by: Jérémie Galarneau Reviewed-by: Simon Marchi --- src/plugins/ctf/fs-sink/fs-sink-trace.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/plugins/ctf/fs-sink/fs-sink-trace.c b/src/plugins/ctf/fs-sink/fs-sink-trace.c index 3d647d2d..1b0bf390 100644 --- a/src/plugins/ctf/fs-sink/fs-sink-trace.c +++ b/src/plugins/ctf/fs-sink/fs-sink-trace.c @@ -528,14 +528,6 @@ void fs_sink_trace_destroy(struct fs_sink_trace *trace) trace->path = NULL; } - g_string_free(trace->metadata_path, TRUE); - trace->metadata_path = NULL; - - fs_sink_ctf_trace_destroy(trace->trace); - trace->trace = NULL; - g_free(trace); - -end: if (fh) { int ret = fclose(fh); @@ -546,10 +538,18 @@ end: } } + g_string_free(trace->metadata_path, TRUE); + trace->metadata_path = NULL; + + fs_sink_ctf_trace_destroy(trace->trace); + trace->trace = NULL; + g_free(trace); + if (tsdl) { g_string_free(tsdl, TRUE); } +end: return; } -- 2.34.1