Fix possible double free in cli_command_name

Rob Sanders · David Parrish · commit 52cf0a1c9e82 · 2018-09-16T17:28:53.000+01:00
Coverity indicates a possible double free in cli_command_name.  This
appears to be due to name being set to cli-&gt;commandname, and then if
this is not null name is freed, but cli-&gt;commandname is untouched.  If
this routine exits early (for example, the calloc fails), then
cli-&gt;commandname is now pointing to a freed memory block.

Fixed by ensuring that cli-&gt;commandname is freed and set to null if
not null already before assigning cli-&gt;commandname to name.
diff --git a/libcli.c b/libcli.c
@@ -163,12 +163,19 @@ static ssize_t _write(int fd, const void *buf, size_t count)
     }
     return written;
 }
+
 char *cli_command_name(struct cli_def *cli, struct cli_command *command)
 {
-    char *name = cli->commandname;
+    char *name;
     char *o;
 
-    if (name) free(name);
+    if (cli->commandname)
+    {
+        free(cli->commandname);
+        cli->commandname = NULL;
+    }
+    name = cli->commandname;
+
     if (!(name = calloc(1, 1)))
         return NULL;
 
