Date: Thu, 12 May 2016 07:20:16 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: "Conrad E. Meyer" <cem@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r299514 - head/sys/fs/nfsserver Message-ID: <1419951537.97517297.1463052016916.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <201605120503.u4C53CiH062765@repo.freebsd.org> References: <201605120503.u4C53CiH062765@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Oh, and I'll MFC it in 2 weeks unless there is an objection, rick ----- Original Message ----- > Author: cem > Date: Thu May 12 05:03:12 2016 > New Revision: 299514 > URL: https://svnweb.freebsd.org/changeset/base/299514 > > Log: > nfsd: Fix use-after-free in NFS4 lock test service > > Trivial use-after-free where stp was freed too soon in the non-error path. > To fix, simply move its release to the end of the routine. > > Reported by: Coverity > CID: 1006105 > Sponsored by: EMC / Isilon Storage Division > > Modified: > head/sys/fs/nfsserver/nfs_nfsdserv.c > > Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c > ============================================================================== > --- head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 04:54:32 2016 (r299513) > +++ head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 05:03:12 2016 (r299514) > @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, > if (!nd->nd_repstat) > nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid, > &stateid, exp, nd, p); > - if (stp) > - FREE((caddr_t)stp, M_NFSDSTATE); > if (nd->nd_repstat) { > if (nd->nd_repstat == NFSERR_DENIED) { > NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED); > @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, > } > } > vput(vp); > + if (stp) > + FREE((caddr_t)stp, M_NFSDSTATE); > NFSEXITCODE2(0, nd); > return (0); > nfsmout: > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1419951537.97517297.1463052016916.JavaMail.zimbra>