From dcc006035da02efdb2278e46dd513ea8aa522ca8 Mon Sep 17 00:00:00 2001
From: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
Date: Thu, 12 Oct 2023 21:15:32 +0800
Subject: [PATCH] fs/rename: fix use after free issue about rename

Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
---
 fs/vfs/fs_rename.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/fs/vfs/fs_rename.c b/fs/vfs/fs_rename.c
index dafc95af85..913fddfd06 100644
--- a/fs/vfs/fs_rename.c
+++ b/fs/vfs/fs_rename.c
@@ -348,14 +348,6 @@ next_subdir:
             {
               FAR char *subdirname;
 
-              /* Free memory may be allocated in previous loop */
-
-              if (subdir != NULL)
-                {
-                   lib_free(subdir);
-                   subdir = NULL;
-                }
-
               /* Yes.. In this case, the target of the rename must be a
                * subdirectory of newinode, not the newinode itself.  For
                * example: mv b a/ must move b to a/b.
@@ -371,8 +363,19 @@ next_subdir:
                 }
               else
                 {
+                  /* Save subdir to free memory may be allocated in
+                   * previous loop.
+                   */
+
+                  FAR void *tmp = subdir;
+
                   ret = asprintf(&subdir, "%s/%s", newrelpath,
                                  subdirname);
+                  if (tmp != NULL)
+                    {
+                      lib_free(tmp);
+                    }
+
                   if (ret < 0)
                     {
                       subdir = NULL;