As reported in http://bugs.debian.org/440562
A chain of symlinks to /etc/fstab results in using a pointer after
freeing it.
lamont
>From 0d3a65ac1d721b0b48cbe498250934a5eacac29c Mon Sep 17 00:00:00 2001
From: Norbert Buchmuller <norbi@xxxxxx>
Date: Sun, 2 Sep 2007 14:08:53 -0600
Subject: [PATCH] mount: chain of symlinks to fstab causes use of pointer after free
Looking at the source in 'mount/realpath.c' we find that when dealing with
the second or later symlink in the chain, a memory block was free()d before
copying its contents to a newly allocated block.
---
mount/realpath.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/mount/realpath.c b/mount/realpath.c
index 9dc517e..d659685 100644
--- a/mount/realpath.c
+++ b/mount/realpath.c
@@ -97,6 +97,7 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
} else {
#ifdef resolve_symlinks /* Richard Gooch dislikes sl resolution */
int m;
+ char *newbuf;
/* Note: readlink doesn't add the null byte. */
link_path[n] = '\0';
@@ -110,12 +111,12 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) {
/* Insert symlink contents into path. */
m = strlen(path);
+ newbuf = xmalloc(m + n + 1);
+ memcpy(newbuf, link_path, n);
+ memcpy(newbuf + n, path, m + 1);
if (buf)
free(buf);
- buf = xmalloc(m + n + 1);
- memcpy(buf, link_path, n);
- memcpy(buf + n, path, m + 1);
- path = buf;
+ path = buf = newbuf;
#endif
}
*npath++ = '/';
--
1.5.2.3
