From: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue, 19 Feb 2013 17:30:14 +0000 (+0000)
Subject: libafscp: Don't free bogus ptr in ResolvPathFromVol
X-Git-Tag: upstream/1.8.0_pre1^2~1497
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=735c9cff53bbf6f2b250a719507d7909e77c48e2;p=packages%2Fo%2Fopenafs.git

libafscp: Don't free bogus ptr in ResolvPathFromVol

afscp_ResolvPathFromVol makes a copy of the path passed to it using
strdup. It then iterates across that, removing initial '/' characters.
However, this iteration means that 'p' no longer points to the start
of the allocated memory - when we free 'p', we may actually be freeing
an offset into the block, which will make malloc unhappy.

Make a copy of the result from strdup, and use that to free the block.

Caught by clang-analyzer

Change-Id: I0e7d8c7cf3b70baa4868c65fb4c3a32474557628
Reviewed-on: http://gerrit.openafs.org/9196
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
---

diff --git a/src/libafscp/afscp_dir.c b/src/libafscp/afscp_dir.c
index ff0538701..b3d42b1c9 100644
--- a/src/libafscp/afscp_dir.c
+++ b/src/libafscp/afscp_dir.c
@@ -743,10 +743,10 @@ struct afscp_venusfid *
 afscp_ResolvePathFromVol(const struct afscp_volume *v, const char *path)
 {
     struct afscp_venusfid *root, *ret;
-    char *p;
+    char *origp, *p;
 
     /* so we can modify the string */
-    p = strdup(path);
+    origp = p = strdup(path);
     if (p == NULL) {
 	afscp_errno = ENOMEM;
 	return NULL;
@@ -759,6 +759,6 @@ afscp_ResolvePathFromVol(const struct afscp_volume *v, const char *path)
 	free(root);
     } else
 	ret = root;
-    free(p);
+    free(origp);
     return ret;
 }