From a9d6150d12b368820a98cb26ec0d9f76fa4f0905 Mon Sep 17 00:00:00 2001
From: Norbert Buchmuller <norbi@nix.hu>
Date: Sun, 2 Sep 2007 14:08:53 -0600
Subject: [PATCH] mount: chain of symlinks to fstab causes use of pointer after
 free

Looking at the source in 'mount/realpath.c' we find that when dealing with
the second or later symlink in the chain, a memory block was free()d before
copying its contents to a newly allocated block.
---
 mount/realpath.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/mount/realpath.c b/mount/realpath.c
index 9dc517e4..d659685a 100644
--- a/mount/realpath.c
+++ b/mount/realpath.c
@@ -97,6 +97,7 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
 		} else {
 #ifdef resolve_symlinks		/* Richard Gooch dislikes sl resolution */
 			int m;
+			char *newbuf;
 
 			/* Note: readlink doesn't add the null byte. */
 			link_path[n] = '\0';
@@ -110,12 +111,12 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
 
 			/* Insert symlink contents into path. */
 			m = strlen(path);
+			newbuf = xmalloc(m + n + 1);
+			memcpy(newbuf, link_path, n);
+			memcpy(newbuf + n, path, m + 1);
 			if (buf)
 				free(buf);
-			buf = xmalloc(m + n + 1);
-			memcpy(buf, link_path, n);
-			memcpy(buf + n, path, m + 1);
-			path = buf;
+			path = buf = newbuf;
 #endif
 		}
 		*npath++ = '/';
-- 
2.39.5