From: Arne Redlich <arne.redlich@googlemail.com>
Date: Mon, 17 Feb 2014 23:32:10 +0000 (+0100)
Subject: nfs_rename_continue_1_internal: fix use-after-free
X-Git-Tag: upstream/1.9.6^2~90
X-Git-Url: https://git.piment-noir.org/?p=deb_libnfs.git;a=commitdiff_plain;h=766bb4af757b6f07c316337f34221ddb769fb749

nfs_rename_continue_1_internal: fix use-after-free

Spotted by clang analyzer.
This introduces another allocation to create a copy of the target path
of a rename in case it needs to be reported via rpc_set_error - it might
be a better idea to avoid the allocation and have a slightly less informative
error message?

Signed-off-by: Arne Redlich <arne.redlich@googlemail.com>
---

diff --git a/lib/libnfs.c b/lib/libnfs.c
index b2502ba..3660b6c 100644
--- a/lib/libnfs.c
+++ b/lib/libnfs.c
@@ -3889,19 +3889,28 @@ static int nfs_rename_continue_2_internal(struct nfs_context *nfs, struct nfs_cb
 static int nfs_rename_continue_1_internal(struct nfs_context *nfs, struct nfs_cb_data *data)
 {
 	struct nfs_rename_data *rename_data = data->continue_data;
+	char* newpath = strdup(rename_data->newpath);
+	if (!newpath) {
+		rpc_set_error(nfs->rpc, "Out of memory. Could not allocate memory to store target path for rename");
+		data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
+		free_nfs_cb_data(data);
+		return -1;
+	}
 
 	/* steal the filehandle */
 	rename_data->olddir = data->fh;
 	data->fh.data.data_val = NULL;
 
 	if (nfs_lookuppath_async(nfs, rename_data->newpath, data->cb, data->private_data, nfs_rename_continue_2_internal, rename_data, free_nfs_rename_data, 0) != 0) {
-		rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", rename_data->newpath);
+		rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", newpath);
 		data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
 		free_nfs_cb_data(data);
+		free(newpath);
 		return -1;
 	}
 	data->continue_data = NULL;
 	free_nfs_cb_data(data);
+	free(newpath);
 
 	return 0;
 }