diff options
| author | Jeff Layton <jlayton@samba.org> | 2013-10-10 22:05:05 -0400 |
|---|---|---|
| committer | Jeff Layton <jlayton@samba.org> | 2013-10-11 11:02:11 -0400 |
| commit | 7e2e95d0c84bd6960c46f1fa1c8227c50dd7a4b3 (patch) | |
| tree | 5d6418f358989a353c575beecc483afc73cf3755 | |
| parent | 9f1c0722a3e20047bcffe3a43f229e891da8c01b (diff) | |
| download | cifs-utils-7e2e95d0c84bd6960c46f1fa1c8227c50dd7a4b3.tar.gz cifs-utils-7e2e95d0c84bd6960c46f1fa1c8227c50dd7a4b3.tar.bz2 cifs-utils-7e2e95d0c84bd6960c46f1fa1c8227c50dd7a4b3.zip | |
mount.cifs: fix bad free() of string returned by dirname()
Coverity says:
Error: CPPCHECK_WARNING: [#def10]
cifs-utils-6.2/mount.cifs.c:1518: error[memleakOnRealloc]: Common realloc mistake: 'mtabdir' nulled but not freed upon failure
del_mtab has a number of bugs in handling of allocated memory:
a) the return value of strdup() is not checked
b) It calls realloc() on a pointer that wasn't returned by an allocation
function (e.g. malloc, calloc, etc.)
c) If realloc() fails, it doesn't call free() on the original memory
returned by strdup()
Fix all of these bugs and add newlines to the end of the error messages
in del_mtab.
Signed-off-by: Jeff Layton <jlayton@samba.org>
| -rw-r--r-- | mount.cifs.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/mount.cifs.c b/mount.cifs.c index 7206dcb..497665d 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -1508,23 +1508,29 @@ add_mtab_exit: static int del_mtab(char *mountpoint) { - int tmprc, rc = 0; + int len, tmprc, rc = 0; FILE *mnttmp, *mntmtab; struct mntent *mountent; - char *mtabfile, *mtabdir, *mtabtmpfile; + char *mtabfile, *mtabdir, *mtabtmpfile = NULL; mtabfile = strdup(MOUNTED); - mtabdir = dirname(mtabfile); - mtabdir = realloc(mtabdir, strlen(mtabdir) + strlen(MNT_TMP_FILE) + 2); - if (!mtabdir) { - fprintf(stderr, "del_mtab: cannot determine current mtab path"); + if (!mtabfile) { + fprintf(stderr, "del_mtab: cannot strdup MOUNTED\n"); rc = EX_FILEIO; goto del_mtab_exit; } - mtabtmpfile = strcat(mtabdir, MNT_TMP_FILE); + mtabdir = dirname(mtabfile); + len = strlen(mtabdir) + strlen(MNT_TMP_FILE); + mtabtmpfile = malloc(len + 1); if (!mtabtmpfile) { - fprintf(stderr, "del_mtab: cannot allocate memory to tmp file"); + fprintf(stderr, "del_mtab: cannot allocate memory to tmp file\n"); + rc = EX_FILEIO; + goto del_mtab_exit; + } + + if (sprintf(mtabtmpfile, "%s%s", mtabdir, MNT_TMP_FILE) != len) { + fprintf(stderr, "del_mtab: error writing new string\n"); rc = EX_FILEIO; goto del_mtab_exit; } @@ -1532,14 +1538,14 @@ del_mtab(char *mountpoint) atexit(unlock_mtab); rc = lock_mtab(); if (rc) { - fprintf(stderr, "del_mtab: cannot lock mtab"); + fprintf(stderr, "del_mtab: cannot lock mtab\n"); rc = EX_FILEIO; goto del_mtab_exit; } mtabtmpfile = mktemp(mtabtmpfile); if (!mtabtmpfile) { - fprintf(stderr, "del_mtab: cannot setup tmp file destination"); + fprintf(stderr, "del_mtab: cannot setup tmp file destination\n"); rc = EX_FILEIO; goto del_mtab_exit; } @@ -1587,7 +1593,8 @@ del_mtab(char *mountpoint) del_mtab_exit: unlock_mtab(); - free(mtabdir); + free(mtabtmpfile); + free(mtabfile); return rc; del_mtab_error: |