From: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Date: Tue, 21 Jun 2011 08:33:50 +0000 (+1000)
Subject: Add a very subtle bug in nfs_set_error()
X-Git-Tag: upstream/1.9.6^2~390
X-Git-Url: https://git.piment-noir.org/?p=deb_libnfs.git;a=commitdiff_plain;h=1e8994af0fde29bb03c52c5c4a972ef8d8ddbc33

Add a very subtle bug in nfs_set_error()
when nfs_set_error is called with error_string being the result of a lower layer
problem so it is passed as "rpc_get_error()"

This meant that since free that nfs->rpc->error_string before we reference it a few lines further down in the vasprintf(..., error_string,
adn memory corruption triggers.

Valgrind found this, Valgrind rules!
---

diff --git a/examples/nfsclient-sync.c b/examples/nfsclient-sync.c
index d4f6b0c..521bf4e 100644
--- a/examples/nfsclient-sync.c
+++ b/examples/nfsclient-sync.c
@@ -85,7 +85,7 @@ int main(int argc _U_, char *argv[] _U_)
  		printf("Failed to mount nfs share : %s\n", nfs_get_error(nfs));
 		exit(10);
 	}
-	printf("mounted share successfully\n");
+	printf("mounted share successfully %s\n", nfs_get_error(nfs));
 
 
 	ret = nfs_stat(nfs, NFSFILE, &st);
diff --git a/lib/libnfs.c b/lib/libnfs.c
index 4380653..996b988 100644
--- a/lib/libnfs.c
+++ b/lib/libnfs.c
@@ -2865,13 +2865,13 @@ size_t nfs_get_writemax(struct nfs_context *nfs)
 void nfs_set_error(struct nfs_context *nfs, char *error_string, ...)
 {
         va_list ap;
-	char *str;
+	char *str = NULL;
 
+        va_start(ap, error_string);
+	vasprintf(&str, error_string, ap);
 	if (nfs->rpc->error_string != NULL) {
 		free(nfs->rpc->error_string);
 	}
-        va_start(ap, error_string);
-	vasprintf(&str, error_string, ap);
 	nfs->rpc->error_string = str;
         va_end(ap);
 }