rpms / cifs-utils

Clone
Source Code
GIT

Blame SOURCES/0005-mount.cifs-fix-bad-free-of-string-returned-by-dirnam.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   0005-mount.cifs-fix-bad-free-of-string-returned-by-dirnam.patch
Blob History Raw
97823b 
From 7e2e95d0c84bd6960c46f1fa1c8227c50dd7a4b3 Mon Sep 17 00:00:00 2001
97823b 
From: Jeff Layton <jlayton@samba.org>
97823b 
Date: Thu, 10 Oct 2013 22:05:05 -0400
97823b 
Subject: [PATCH] mount.cifs: fix bad free() of string returned by dirname()
97823b
97823b 
Coverity says:
97823b
97823b 
  Error: CPPCHECK_WARNING: [#def10]
97823b 
  cifs-utils-6.2/mount.cifs.c:1518: error[memleakOnRealloc]: Common realloc mistake: 'mtabdir' nulled but not freed upon failure
97823b
97823b 
del_mtab has a number of bugs in handling of allocated memory:
97823b
97823b 
a) the return value of strdup() is not checked
97823b
97823b 
b) It calls realloc() on a pointer that wasn't returned by an allocation
97823b 
   function (e.g. malloc, calloc, etc.)
97823b
97823b 
c) If realloc() fails, it doesn't call free() on the original memory
97823b 
   returned by strdup()
97823b
97823b 
Fix all of these bugs and add newlines to the end of the error messages
97823b 
in del_mtab.
97823b
97823b 
Signed-off-by: Jeff Layton <jlayton@samba.org>
97823b 
---
97823b 
 mount.cifs.c | 29 ++++++++++++++++++-----------
97823b 
 1 file changed, 18 insertions(+), 11 deletions(-)
97823b
97823b 
diff --git a/mount.cifs.c b/mount.cifs.c
97823b 
index 7206dcb..497665d 100644
97823b 
--- a/mount.cifs.c
97823b 
+++ b/mount.cifs.c
97823b 
@@ -1508,23 +1508,29 @@ add_mtab_exit:
97823b 
 static int
97823b 
 del_mtab(char *mountpoint)
97823b 
 {
97823b 
-	int tmprc, rc = 0;
97823b 
+	int len, tmprc, rc = 0;
97823b 
 	FILE *mnttmp, *mntmtab;
97823b 
 	struct mntent *mountent;
97823b 
-	char *mtabfile, *mtabdir, *mtabtmpfile;
97823b 
+	char *mtabfile, *mtabdir, *mtabtmpfile = NULL;
97823b
97823b 
 	mtabfile = strdup(MOUNTED);
97823b 
-	mtabdir = dirname(mtabfile);
97823b 
-	mtabdir = realloc(mtabdir, strlen(mtabdir) + strlen(MNT_TMP_FILE) + 2);
97823b 
-	if (!mtabdir) {
97823b 
-		fprintf(stderr, "del_mtab: cannot determine current mtab path");
97823b 
+	if (!mtabfile) {
97823b 
+		fprintf(stderr, "del_mtab: cannot strdup MOUNTED\n");
97823b 
 		rc = EX_FILEIO;
97823b 
 		goto del_mtab_exit;
97823b 
 	}
97823b
97823b 
-	mtabtmpfile = strcat(mtabdir, MNT_TMP_FILE);
97823b 
+	mtabdir = dirname(mtabfile);
97823b 
+	len = strlen(mtabdir) + strlen(MNT_TMP_FILE);
97823b 
+	mtabtmpfile = malloc(len + 1);
97823b 
 	if (!mtabtmpfile) {
97823b 
-		fprintf(stderr, "del_mtab: cannot allocate memory to tmp file");
97823b 
+		fprintf(stderr, "del_mtab: cannot allocate memory to tmp file\n");
97823b 
+		rc = EX_FILEIO;
97823b 
+		goto del_mtab_exit;
97823b 
+	}
97823b 
+
97823b 
+	if (sprintf(mtabtmpfile, "%s%s", mtabdir, MNT_TMP_FILE) != len) {
97823b 
+		fprintf(stderr, "del_mtab: error writing new string\n");
97823b 
 		rc = EX_FILEIO;
97823b 
 		goto del_mtab_exit;
97823b 
 	}
97823b 
@@ -1532,14 +1538,14 @@ del_mtab(char *mountpoint)
97823b 
 	atexit(unlock_mtab);
97823b 
 	rc = lock_mtab();
97823b 
 	if (rc) {
97823b 
-		fprintf(stderr, "del_mtab: cannot lock mtab");
97823b 
+		fprintf(stderr, "del_mtab: cannot lock mtab\n");
97823b 
 		rc = EX_FILEIO;
97823b 
 		goto del_mtab_exit;
97823b 
 	}
97823b
97823b 
 	mtabtmpfile = mktemp(mtabtmpfile);
97823b 
 	if (!mtabtmpfile) {
97823b 
-		fprintf(stderr, "del_mtab: cannot setup tmp file destination");
97823b 
+		fprintf(stderr, "del_mtab: cannot setup tmp file destination\n");
97823b 
 		rc = EX_FILEIO;
97823b 
 		goto del_mtab_exit;
97823b 
 	}
97823b 
@@ -1587,7 +1593,8 @@ del_mtab(char *mountpoint)
97823b
97823b 
 del_mtab_exit:
97823b 
 	unlock_mtab();
97823b 
-	free(mtabdir);
97823b 
+	free(mtabtmpfile);
97823b 
+	free(mtabfile);
97823b 
 	return rc;
97823b
97823b 
 del_mtab_error:
97823b 
--
97823b 
1.8.3.1
97823b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation