Fix code scanning alert - Potential use after free

linux-nvme / nvme-cli

NVMe management command line interface.

https://nvmexpress.org

GNU General Public License v2.0

1.44k stars 650 forks source link

Fix code scanning alert - Potential use after free #2203

Open igaw opened 7 months ago

igaw commented 7 months ago

CodeQL complains about a UAF:

Memory may have been previously freed by  

ccan/ccan/strset/strset.c:196
            }

            /* Sew empty string back so remaining logic works */
            free(n->u.n);
            n->u.s = empty_str;
            break;
        }

https://github.com/linux-nvme/nvme-cli/blob/79abafe689432647b97a441b34714ab2b2708d4d/ccan/ccan/strset/strset.c#L211-L211

Tracking issue for:

[ ] https://github.com/linux-nvme/nvme-cli/security/code-scanning/57

igaw commented 1 month ago

Maybe we should just merge your fix. Upstream is not really responding. We did it the same for the include/define fix for bigendian too.

ikegami-t commented 1 month ago

Thank you. Noted.

ikegami-t commented 1 month ago

So can we close the issue now?

igaw commented 1 month ago

Let's keep it open to track upstream. I still hope it gets eventually addressed.

ikegami-t commented 1 month ago

I see. Thank you.