From 3c4c063a2fd5cc6e9ce2b5db82e2a0dfa59b2e40 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <mszeredi@suse.cz>
Date: Thu, 19 Jul 2012 15:05:56 +0200
Subject: Fix crash caused by freeing a stack address

The failure path of try_get_path2() erronously tried to free the "path1" value
(an address on the stack) instead of the allocated string pointed to by "path1".
This caused the library to crash.

Reported by Itay Perl
---
 ChangeLog  | 5 +++++
 lib/fuse.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 987b687..4dee6e5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-07-19  Miklos Szeredi <miklos@szeredi.hu>
+
+	* Fix crash caused by freeing a stack address.  Reported by Itay
+	Perl
+
 2012-07-04  Miklos Szeredi <miklos@szeredi.hu>
 
 	* Fix install of mount.fuse from out-of-tree build.  Patch by
diff --git a/lib/fuse.c b/lib/fuse.c
index 644878b..3c7f642 100644
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -1162,7 +1162,7 @@ static int try_get_path2(struct fuse *f, fuse_ino_t nodeid1, const char *name1,
 			struct node *wn1 = wnode1 ? *wnode1 : NULL;
 
 			unlock_path(f, nodeid1, wn1, NULL, ticket);
-			free(path1);
+			free(*path1);
 			if (ticket && err != -EAGAIN)
 				release_tickets(f, nodeid1, wn1, ticket);
 		}
-- 
cgit v1.2.1