[quality] fixup: vulnerability in kernel

including out-of-bound access in dfs, and use-after-free in
aspace_traversal

Signed-off-by: Shell <smokewood@qq.com>

components/dfs/dfs_v1/src/dfs.c

@@ -759,7 +759,7 @@ up_one:
 
     /* remove '/' in the end of path if exist */
     dst--;
-    if ((dst != fullpath) && (*dst == '/'))
+    if (dst >= fullpath && (dst != fullpath) && (*dst == '/'))
         *dst = '\0';
 
     /* final check fullpath is not empty, for the special path of lwext "/.." */

components/dfs/dfs_v2/src/dfs.c

@@ -668,7 +668,7 @@ char *dfs_normalize_path(const char *directory, const char *filename)
 
     /* remove '/' in the end of path if exist */
     dst--;
-    if ((dst != fullpath) && (*dst == '/'))
+    if (dst >= fullpath && (dst != fullpath) && (*dst == '/'))
         *dst = '\0';
 
     /* final check fullpath is not empty, for the special path of lwext "/.." */

components/mm/mm_aspace.c

@@ -345,10 +345,10 @@ rt_inline rt_err_t _migrate_and_release_varea(rt_aspace_t aspace, rt_varea_t to,
     {
         /* uninstall operand & release the varea */
         _aspace_bst_remove(aspace, from);
-        if (!(from->flag & MMF_STATIC_ALLOC))
-            rt_free(from);
-
         to->size += from->size;
+
+        if (VAREA_NOT_STATIC(from))
+            rt_free(from);
     }
     return error;
 }
@@ -1377,12 +1377,14 @@ int rt_aspace_traversal(rt_aspace_t aspace,
                         int (*fn)(rt_varea_t varea, void *arg), void *arg)
 {
     rt_varea_t varea;
+    rt_varea_t next;
     WR_LOCK(aspace);
     varea = ASPACE_VAREA_FIRST(aspace);
     while (varea)
     {
+        next = ASPACE_VAREA_NEXT(varea);
         fn(varea, arg);
-        varea = ASPACE_VAREA_NEXT(varea);
+        varea = next;
     }
     WR_UNLOCK(aspace);