Bug#993373: Subject: [PATCH 2/2] Fix use-after-free bug in realpath()
The memory provided by `buf` is still reference by `path` and used after
the free call. Delay the freeing until after using it.
---
src/realpath.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/realpath.c b/src/realpath.c
index 1cf7eaf..9133605 100644
--- a/src/realpath.c
+++ b/src/realpath.c
@@ -64,6 +64,7 @@ private_realpath(const char *path, char *resolved_path, int maxreslth) {
char link_path[PATH_MAX+1];
int n;
char *buf = NULL;
+ char *oldbuf = NULL;
npath = resolved_path;
@@ -141,12 +142,19 @@ private_realpath(const char *path, char *resolved_path, int maxreslth) {
/* Insert symlink contents into path. */
m = strlen(path);
- if (buf)
- free(buf);
+ if (buf) {
+ /* Delay freeing of 'buf', as 'path' might
+ * still be pointing to it. */
+ oldbuf = buf;
+ }
buf = xmalloc(m + n + 1);
memcpy(buf, link_path, n);
memcpy(buf + n, path, m + 1);
path = buf;
+ if (oldbuf) {
+ free(oldbuf);
+ oldbuf = NULL;
+ }
#endif
}
*npath++ = '/';
--
2.31.1
Reply to: