With -a, the jump to mount_it_now can skip the initialization of f, and

if we don't zero it after closing it we re-close a filehandle that isn't
open, and since this is a file _pointer_ it segfaults on a double free.

Yeah, subtle bug.  I need to break this out into separate functions if I can
figure out how to avoid making the code larger while doing so.  Part of
the general -a and -o remount work I need to do, but that's after 1.1.0...

diff --git a/util-linux/mount.c b/util-linux/mount.c
index e0a2e2930fcbc03812e65e22038949f62a6152a6..4777e470b56aa419f4f27381afc694cff3831d71 100644 (file)
--- a/util-linux/mount.c
+++ b/util-linux/mount.c
@@ -327,8 +327,11 @@ mount_it_now:
                                }
                                if(!rc || !f) break;
                        }
-                       if(f) fclose(f);
-                       if(!f || !rc) break;
+                       if(!f) break;
+                       fclose(f);
+                       // goto mount_it_now with -a can jump past the initialization
+                       f=0;
+                       if(!rc) break;
                }
 
                /* If the mount was successful, and we're maintaining an old-style