Currently, put_xattritem() does not remove the `item`
from the hash table after freeing it, which may lead
to a user-after-free issue.
This patch fixes it.
Fixes: 47d6895a5ff9 ("erofs-utils: introduce inline xattr support")
Signed-off-by: Hongzhen Luo <hongz...@linux.alibaba.com>
---
lib/xattr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/xattr.c b/lib/xattr.c
index 7fbd24bbdd75..e4207758fa62 100644
--- a/lib/xattr.c
+++ b/lib/xattr.c
@@ -169,6 +169,7 @@ static unsigned int put_xattritem(struct xattr_item *item)
{
if (item->count > 1)
return --item->count;
+ hash_del(&item->node);
free(item);
return 0;
}
--
2.43.5
