From 766bb4af757b6f07c316337f34221ddb769fb749 Mon Sep 17 00:00:00 2001 From: Arne Redlich Date: Tue, 18 Feb 2014 00:32:10 +0100 Subject: [PATCH] nfs_rename_continue_1_internal: fix use-after-free Spotted by clang analyzer. This introduces another allocation to create a copy of the target path of a rename in case it needs to be reported via rpc_set_error - it might be a better idea to avoid the allocation and have a slightly less informative error message? Signed-off-by: Arne Redlich --- lib/libnfs.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/libnfs.c b/lib/libnfs.c index b2502ba..3660b6c 100644 --- a/lib/libnfs.c +++ b/lib/libnfs.c @@ -3889,19 +3889,28 @@ static int nfs_rename_continue_2_internal(struct nfs_context *nfs, struct nfs_cb static int nfs_rename_continue_1_internal(struct nfs_context *nfs, struct nfs_cb_data *data) { struct nfs_rename_data *rename_data = data->continue_data; + char* newpath = strdup(rename_data->newpath); + if (!newpath) { + rpc_set_error(nfs->rpc, "Out of memory. Could not allocate memory to store target path for rename"); + data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data); + free_nfs_cb_data(data); + return -1; + } /* steal the filehandle */ rename_data->olddir = data->fh; data->fh.data.data_val = NULL; if (nfs_lookuppath_async(nfs, rename_data->newpath, data->cb, data->private_data, nfs_rename_continue_2_internal, rename_data, free_nfs_rename_data, 0) != 0) { - rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", rename_data->newpath); + rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", newpath); data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data); free_nfs_cb_data(data); + free(newpath); return -1; } data->continue_data = NULL; free_nfs_cb_data(data); + free(newpath); return 0; } -- 2.34.1