From: Norbert Buchmuller <norbi@nix.hu>
Date: Sun, 2 Sep 2007 20:08:53 +0000 (-0600)
Subject: mount: chain of symlinks to fstab causes use of pointer after free
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9d6150d12b368820a98cb26ec0d9f76fa4f0905;p=util-linux

mount: chain of symlinks to fstab causes use of pointer after free

Looking at the source in 'mount/realpath.c' we find that when dealing with
the second or later symlink in the chain, a memory block was free()d before
copying its contents to a newly allocated block.
---

diff --git a/mount/realpath.c b/mount/realpath.c
index 9dc517e4..d659685a 100644
--- a/mount/realpath.c
+++ b/mount/realpath.c
@@ -97,6 +97,7 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
 		} else {
 #ifdef resolve_symlinks		/* Richard Gooch dislikes sl resolution */
 			int m;
+			char *newbuf;
 
 			/* Note: readlink doesn't add the null byte. */
 			link_path[n] = '\0';
@@ -110,12 +111,12 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
 
 			/* Insert symlink contents into path. */
 			m = strlen(path);
+			newbuf = xmalloc(m + n + 1);
+			memcpy(newbuf, link_path, n);
+			memcpy(newbuf + n, path, m + 1);
 			if (buf)
 				free(buf);
-			buf = xmalloc(m + n + 1);
-			memcpy(buf, link_path, n);
-			memcpy(buf + n, path, m + 1);
-			path = buf;
+			path = buf = newbuf;
 #endif
 		}
 		*npath++ = '/';