[PATCH] mount.cifs: fix crash when mount point does not exist

* [PATCH] mount.cifs: fix crash when mount point does not exist
@ 2021-05-06 19:25 Paulo Alcantara
  2021-05-07 10:42 ` Aurélien Aptel
  0 siblings, 1 reply; 3+ messages in thread
From: Paulo Alcantara @ 2021-05-06 19:25 UTC (permalink / raw)
  To: linux-cifs, piastryyy; +Cc: Paulo Alcantara

@mountpointp is initially set to a statically allocated string in
main(), and if we fail to update it in acquire_mountpoint(), make sure
to set it to NULL and avoid freeing it at mount_exit.

This fixes the following crash

	$ mount.cifs //srv/share /mnt/foo/bar -o ...
	Couldn't chdir to /mnt/foo/bar: No such file or directory
	munmap_chunk(): invalid pointer
	Aborted

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
---
 mount.cifs.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index 7f898bbd215a..84274c98ddf5 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1996,9 +1996,9 @@ acquire_mountpoint(char **mountpointp)
 	 */
 	realuid = getuid();
 	if (realuid == 0) {
-		dacrc = toggle_dac_capability(0, 1);
-		if (dacrc)
-			return dacrc;
+		rc = toggle_dac_capability(0, 1);
+		if (rc)
+			goto out;
 	} else {
 		oldfsuid = setfsuid(realuid);
 		oldfsgid = setfsgid(getgid());
@@ -2019,7 +2019,6 @@ acquire_mountpoint(char **mountpointp)
 		rc = EX_SYSERR;
 	}
 
-	*mountpointp = mountpoint;
 restore_privs:
 	if (realuid == 0) {
 		dacrc = toggle_dac_capability(0, 0);
@@ -2030,9 +2029,13 @@ restore_privs:
 		gid_t __attribute__((unused)) gignore = setfsgid(oldfsgid);
 	}
 
-	if (rc)
+out:
+	if (rc) {
 		free(mountpoint);
+		mountpoint = NULL;
+	}
 
+	*mountpointp = mountpoint;
 	return rc;
 }
 
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread