diff options
author | Norbert Buchmuller | 2007-09-02 22:08:53 +0200 |
---|---|---|
committer | Karel Zak | 2007-09-05 11:42:28 +0200 |
commit | a9d6150d12b368820a98cb26ec0d9f76fa4f0905 (patch) | |
tree | d2b07a406b610c98d38410f13a75b3ac2eb0b8c4 /mount/realpath.c | |
parent | setarch: adding groff symlinks to setarch manual page (diff) | |
download | kernel-qcow2-util-linux-a9d6150d12b368820a98cb26ec0d9f76fa4f0905.tar.gz kernel-qcow2-util-linux-a9d6150d12b368820a98cb26ec0d9f76fa4f0905.tar.xz kernel-qcow2-util-linux-a9d6150d12b368820a98cb26ec0d9f76fa4f0905.zip |
mount: chain of symlinks to fstab causes use of pointer after free
Looking at the source in 'mount/realpath.c' we find that when dealing with
the second or later symlink in the chain, a memory block was free()d before
copying its contents to a newly allocated block.
Diffstat (limited to 'mount/realpath.c')
-rw-r--r-- | mount/realpath.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/mount/realpath.c b/mount/realpath.c index 9dc517e4e..d659685a8 100644 --- a/mount/realpath.c +++ b/mount/realpath.c @@ -97,6 +97,7 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) { } else { #ifdef resolve_symlinks /* Richard Gooch dislikes sl resolution */ int m; + char *newbuf; /* Note: readlink doesn't add the null byte. */ link_path[n] = '\0'; @@ -110,12 +111,12 @@ myrealpath(const char *path, char *resolved_path, int maxreslth) { /* Insert symlink contents into path. */ m = strlen(path); + newbuf = xmalloc(m + n + 1); + memcpy(newbuf, link_path, n); + memcpy(newbuf + n, path, m + 1); if (buf) free(buf); - buf = xmalloc(m + n + 1); - memcpy(buf, link_path, n); - memcpy(buf + n, path, m + 1); - path = buf; + path = buf = newbuf; #endif } *npath++ = '/'; |