Libguestfs - May 2018 - [PATCH v2] fuse: mount_local: Fix crash when called from Java binding.

"localmountpoint" parameter is allocated in JNI before calling
mount_local and freed afterward.  But guestfs handle keeps reference
to passed "localmountpoint" parameter and will try to access it in
umount_local and free after mount_local_run caller thread ends
which leads to a crash (an attempt to access to already freed memory).
---
 lib/fuse.c   | 5 +++--
 lib/handle.c | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/fuse.c b/lib/fuse.c
index 9731db962..82bddec00 100644
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -1047,7 +1047,7 @@ guestfs_impl_mount_local (guestfs_h *g, const char
*localmountpoint,
 
   /* Set g->localmountpoint in the handle. */
   gl_lock_lock (mount_local_lock);
-  g->localmountpoint = localmountpoint;
+  g->localmountpoint = safe_strdup (g, localmountpoint);
   gl_lock_unlock (mount_local_lock);
 
   return 0;
@@ -1090,6 +1090,7 @@ guestfs_impl_mount_local_run (guestfs_h *g)
 
   guestfs_int_free_fuse (g);
   gl_lock_lock (mount_local_lock);
+  free (g->localmountpoint);
   g->localmountpoint = NULL;
   gl_lock_unlock (mount_local_lock);
 
@@ -1148,7 +1149,7 @@ guestfs_impl_umount_local (guestfs_h *g,
     return -1;
   if (WIFEXITED (r) && WEXITSTATUS (r) == EXIT_SUCCESS)
     /* External fusermount succeeded.  Note that the original thread
-     * is responsible for setting g->localmountpoint to NULL.
+     * is responsible for freeing memory and setting g->localmountpoint to
NULL.
      */
     return 0;
 
diff --git a/lib/handle.c b/lib/handle.c
index 449ab42a6..bc45d29b2 100644
--- a/lib/handle.c
+++ b/lib/handle.c
@@ -399,6 +399,7 @@ guestfs_close (guestfs_h *g)
   free (g->hv);
   free (g->backend);
   free (g->backend_data);
+  free (g->localmountpoint);
   guestfs_int_free_string_list (g->backend_settings);
   free (g->append);
   guestfs_int_free_error_data_list (g);
-- 
2.17.0