cg: props -- Handle use after free on error path in cgp_handle_props caller

 | *** CID 161427:  Memory - corruptions  (USE_AFTER_FREE)
 | /criu/cgroup-props.c: 352 in cgp_parse_stream()
 | 346
 | 347             ret = 0;
 | 348     out:
 | 349             return ret;
 | 350
 | 351     err_parse:
 | >>>     CID 161427:  Memory - corruptions  (USE_AFTER_FREE)
 | >>>     Calling "cgp_free" frees pointer "cgp_entry" which has already been freed.
 | 352             cgp_free(cgp_entry);
 | 353             ret = -EINVAL;
 | 354             goto out;
 | 355     }
 | 356
 | 357     static int cgp_parse_file(char *path)
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

criu/cgroup-props.c

@@ -81,24 +81,26 @@ static int cgp_merge_props(cgp_list_entry_t *d, cgp_list_entry_t *s)
 	return 0;
 }
 
-static int cgp_handle_props(cgp_list_entry_t *p, int strategy)
+static int cgp_handle_props(cgp_list_entry_t **p, int strategy)
 {
+	cgp_list_entry_t *s = *p;
 	cgp_list_entry_t *t;
 
 	list_for_each_entry(t, &cgp_list, list) {
-		if (strcmp(t->cgp.name, p->cgp.name))
+		if (strcmp(t->cgp.name, s->cgp.name))
 			continue;
 
 		pr_debug("%s \"%s\" controller properties\n",
 			 strategy == CGP_MERGE ?
 			 "Merging" : "Replacing",
-			 p->cgp.name);
+			 s->cgp.name);
 
 		if (strategy == CGP_MERGE) {
 			int ret;
 
-			ret = cgp_merge_props(t, p);
-			cgp_free(p);
+			ret = cgp_merge_props(t, s);
+			cgp_free(s);
+			*p = NULL;
 			return ret;
 		} else if (strategy == CGP_REPLACE) {
 			/*
@@ -114,7 +116,8 @@ static int cgp_handle_props(cgp_list_entry_t *p, int strategy)
 	/*
 	 * New controller, simply add it.
 	 */
-	list_add(&p->list, &cgp_list);
+	list_add(&s->list, &cgp_list);
+	*p = NULL;
 	return 0;
 }
 
@@ -338,7 +341,7 @@ static int cgp_parse_stream(char *stream, size_t len)
 			goto err_parse;
 		}
 
-		if (cgp_handle_props(cgp_entry, strategy))
+		if (cgp_handle_props(&cgp_entry, strategy))
 			goto err_parse;
 
 		cgp_entry = NULL;