Fix crash caused by freeing a stack address

The failure path of try_get_path2() erronously tried to free the "path1" value
(an address on the stack) instead of the allocated string pointed to by "path1".
This caused the library to crash.

Reported by Itay Perl

diff --git a/ChangeLog b/ChangeLog
index 987b687850737b0e6d17af599d778db1ccaf443b..4dee6e56e7e0b293124dd68711fdcfee85530ef8 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-07-19  Miklos Szeredi <miklos@szeredi.hu>
+
+       * Fix crash caused by freeing a stack address.  Reported by Itay
+       Perl
+
 2012-07-04  Miklos Szeredi <miklos@szeredi.hu>
 
        * Fix install of mount.fuse from out-of-tree build.  Patch by

diff --git a/lib/fuse.c b/lib/fuse.c
index 644878b9425a85e57f1e9296256ecba1259d150a..3c7f6425a3ec1de41bf83307686e92a654ee6c1a 100644 (file)
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -1162,7 +1162,7 @@ static int try_get_path2(struct fuse *f, fuse_ino_t nodeid1, const char *name1,
                        struct node *wn1 = wnode1 ? *wnode1 : NULL;
 
                        unlock_path(f, nodeid1, wn1, NULL, ticket);
-                       free(path1);
+                       free(*path1);
                        if (ticket && err != -EAGAIN)
                                release_tickets(f, nodeid1, wn1, ticket);
                }