nfs_rename_continue_1_internal: fix use-after-free

Spotted by clang analyzer.
This introduces another allocation to create a copy of the target path
of a rename in case it needs to be reported via rpc_set_error - it might
be a better idea to avoid the allocation and have a slightly less informative
error message?

Signed-off-by: Arne Redlich <arne.redlich@googlemail.com>

diff --git a/lib/libnfs.c b/lib/libnfs.c
index b2502ba8fa5ad2d066bc04deb301c7c492caa88b..3660b6c022a17c2513628083a8c7d876aca37153 100644 (file)
--- a/lib/libnfs.c
+++ b/lib/libnfs.c
@@ -3889,19 +3889,28 @@ static int nfs_rename_continue_2_internal(struct nfs_context *nfs, struct nfs_cb
 static int nfs_rename_continue_1_internal(struct nfs_context *nfs, struct nfs_cb_data *data)
 {
        struct nfs_rename_data *rename_data = data->continue_data;
+       char* newpath = strdup(rename_data->newpath);
+       if (!newpath) {
+               rpc_set_error(nfs->rpc, "Out of memory. Could not allocate memory to store target path for rename");
+               data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
+               free_nfs_cb_data(data);
+               return -1;
+       }
 
        /* steal the filehandle */
        rename_data->olddir = data->fh;
        data->fh.data.data_val = NULL;
 
        if (nfs_lookuppath_async(nfs, rename_data->newpath, data->cb, data->private_data, nfs_rename_continue_2_internal, rename_data, free_nfs_rename_data, 0) != 0) {
-               rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", rename_data->newpath);
+               rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", newpath);
                data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
                free_nfs_cb_data(data);
+               free(newpath);
                return -1;
        }
        data->continue_data = NULL;
        free_nfs_cb_data(data);
+       free(newpath);
 
        return 0;
 }