We use v->allocated with the semantics of "length" or "number of used elements" of a vector. If realloc() fails while deleting an element, we should keep the previously allocated v->slot array but still decrement "allocated" in order to avoid accessing invalid vector elements. The next successful realloc will bring v->allocated and the actual size of the array in sync again. Signed-off-by: Martin Wilck <mwilck@xxxxxxxx> --- libmpathutil/vector.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libmpathutil/vector.c b/libmpathutil/vector.c index 7f763cb..f69d644 100644 --- a/libmpathutil/vector.c +++ b/libmpathutil/vector.c @@ -113,7 +113,7 @@ vector_del_slot(vector v, int slot) return; for (i = slot + 1; i < VECTOR_SIZE(v); i++) - v->slot[i-1] = v->slot[i]; + v->slot[i - 1] = v->slot[i]; v->allocated -= VECTOR_DEFAULT_SIZE; @@ -125,9 +125,15 @@ vector_del_slot(vector v, int slot) void *new_slot; new_slot = realloc(v->slot, sizeof (void *) * v->allocated); - if (!new_slot) - v->allocated += VECTOR_DEFAULT_SIZE; - else + /* + * If realloc() fails, v->allocated will be smaller than the + * actual allocated size vector size. + * This is intentional; we want VECTOR_SIZE() to return + * the number of used elements. Otherwise, vector_for_each_slot() + * et al. wouldn't work as intended; there might be duplicate + * or stale elements at the end of the vector. + */ + if (new_slot) v->slot = new_slot; } } -- 2.49.0
