rpms / cifs-utils

Clone
Source Code
GIT

Blame SOURCES/0005-mount.cifs-fix-bad-free-of-string-returned-by-dirnam.patch

c7-beta
  1.   40fde1e92031caeda91aae910aac3093d643633f
  2.   SOURCES
  3.   0005-mount.cifs-fix-bad-free-of-string-returned-by-dirnam.patch
Blob History Raw
40fde1 
From 7e2e95d0c84bd6960c46f1fa1c8227c50dd7a4b3 Mon Sep 17 00:00:00 2001
40fde1 
From: Jeff Layton <jlayton@samba.org>
40fde1 
Date: Thu, 10 Oct 2013 22:05:05 -0400
40fde1 
Subject: [PATCH] mount.cifs: fix bad free() of string returned by dirname()
40fde1
40fde1 
Coverity says:
40fde1
40fde1 
  Error: CPPCHECK_WARNING: [#def10]
40fde1 
  cifs-utils-6.2/mount.cifs.c:1518: error[memleakOnRealloc]: Common realloc mistake: 'mtabdir' nulled but not freed upon failure
40fde1
40fde1 
del_mtab has a number of bugs in handling of allocated memory:
40fde1
40fde1 
a) the return value of strdup() is not checked
40fde1
40fde1 
b) It calls realloc() on a pointer that wasn't returned by an allocation
40fde1 
   function (e.g. malloc, calloc, etc.)
40fde1
40fde1 
c) If realloc() fails, it doesn't call free() on the original memory
40fde1 
   returned by strdup()
40fde1
40fde1 
Fix all of these bugs and add newlines to the end of the error messages
40fde1 
in del_mtab.
40fde1
40fde1 
Signed-off-by: Jeff Layton <jlayton@samba.org>
40fde1 
---
40fde1 
 mount.cifs.c | 29 ++++++++++++++++++-----------
40fde1 
 1 file changed, 18 insertions(+), 11 deletions(-)
40fde1
40fde1 
diff --git a/mount.cifs.c b/mount.cifs.c
40fde1 
index 7206dcb..497665d 100644
40fde1 
--- a/mount.cifs.c
40fde1 
+++ b/mount.cifs.c
40fde1 
@@ -1508,23 +1508,29 @@ add_mtab_exit:
40fde1 
 static int
40fde1 
 del_mtab(char *mountpoint)
40fde1 
 {
40fde1 
-	int tmprc, rc = 0;
40fde1 
+	int len, tmprc, rc = 0;
40fde1 
 	FILE *mnttmp, *mntmtab;
40fde1 
 	struct mntent *mountent;
40fde1 
-	char *mtabfile, *mtabdir, *mtabtmpfile;
40fde1 
+	char *mtabfile, *mtabdir, *mtabtmpfile = NULL;
40fde1
40fde1 
 	mtabfile = strdup(MOUNTED);
40fde1 
-	mtabdir = dirname(mtabfile);
40fde1 
-	mtabdir = realloc(mtabdir, strlen(mtabdir) + strlen(MNT_TMP_FILE) + 2);
40fde1 
-	if (!mtabdir) {
40fde1 
-		fprintf(stderr, "del_mtab: cannot determine current mtab path");
40fde1 
+	if (!mtabfile) {
40fde1 
+		fprintf(stderr, "del_mtab: cannot strdup MOUNTED\n");
40fde1 
 		rc = EX_FILEIO;
40fde1 
 		goto del_mtab_exit;
40fde1 
 	}
40fde1
40fde1 
-	mtabtmpfile = strcat(mtabdir, MNT_TMP_FILE);
40fde1 
+	mtabdir = dirname(mtabfile);
40fde1 
+	len = strlen(mtabdir) + strlen(MNT_TMP_FILE);
40fde1 
+	mtabtmpfile = malloc(len + 1);
40fde1 
 	if (!mtabtmpfile) {
40fde1 
-		fprintf(stderr, "del_mtab: cannot allocate memory to tmp file");
40fde1 
+		fprintf(stderr, "del_mtab: cannot allocate memory to tmp file\n");
40fde1 
+		rc = EX_FILEIO;
40fde1 
+		goto del_mtab_exit;
40fde1 
+	}
40fde1 
+
40fde1 
+	if (sprintf(mtabtmpfile, "%s%s", mtabdir, MNT_TMP_FILE) != len) {
40fde1 
+		fprintf(stderr, "del_mtab: error writing new string\n");
40fde1 
 		rc = EX_FILEIO;
40fde1 
 		goto del_mtab_exit;
40fde1 
 	}
40fde1 
@@ -1532,14 +1538,14 @@ del_mtab(char *mountpoint)
40fde1 
 	atexit(unlock_mtab);
40fde1 
 	rc = lock_mtab();
40fde1 
 	if (rc) {
40fde1 
-		fprintf(stderr, "del_mtab: cannot lock mtab");
40fde1 
+		fprintf(stderr, "del_mtab: cannot lock mtab\n");
40fde1 
 		rc = EX_FILEIO;
40fde1 
 		goto del_mtab_exit;
40fde1 
 	}
40fde1
40fde1 
 	mtabtmpfile = mktemp(mtabtmpfile);
40fde1 
 	if (!mtabtmpfile) {
40fde1 
-		fprintf(stderr, "del_mtab: cannot setup tmp file destination");
40fde1 
+		fprintf(stderr, "del_mtab: cannot setup tmp file destination\n");
40fde1 
 		rc = EX_FILEIO;
40fde1 
 		goto del_mtab_exit;
40fde1 
 	}
40fde1 
@@ -1587,7 +1593,8 @@ del_mtab(char *mountpoint)
40fde1
40fde1 
 del_mtab_exit:
40fde1 
 	unlock_mtab();
40fde1 
-	free(mtabdir);
40fde1 
+	free(mtabtmpfile);
40fde1 
+	free(mtabfile);
40fde1 
 	return rc;
40fde1
40fde1 
 del_mtab_error:
40fde1 
--
40fde1 
1.8.3.1
40fde1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation