]> err.no Git - util-linux/commitdiff
mount: chain of symlinks to fstab causes use of pointer after free
authorNorbert Buchmuller <norbi@nix.hu>
Sun, 2 Sep 2007 20:08:53 +0000 (14:08 -0600)
committerKarel Zak <kzak@redhat.com>
Wed, 5 Sep 2007 11:33:52 +0000 (13:33 +0200)
Looking at the source in 'mount/realpath.c' we find that when dealing with
the second or later symlink in the chain, a memory block was free()d before
copying its contents to a newly allocated block.

mount/realpath.c

index 9dc517e4e33c0b79116953ef5042e5c3f6d3e659..d659685a8349485195582da155e8b193aa695b32 100644 (file)
@@ -97,6 +97,7 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
                } else {
 #ifdef resolve_symlinks                /* Richard Gooch dislikes sl resolution */
                        int m;
+                       char *newbuf;
 
                        /* Note: readlink doesn't add the null byte. */
                        link_path[n] = '\0';
@@ -110,12 +111,12 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
 
                        /* Insert symlink contents into path. */
                        m = strlen(path);
+                       newbuf = xmalloc(m + n + 1);
+                       memcpy(newbuf, link_path, n);
+                       memcpy(newbuf + n, path, m + 1);
                        if (buf)
                                free(buf);
-                       buf = xmalloc(m + n + 1);
-                       memcpy(buf, link_path, n);
-                       memcpy(buf + n, path, m + 1);
-                       path = buf;
+                       path = buf = newbuf;
 #endif
                }
                *npath++ = '/';