Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 May 2016 07:18:44 -0400 (EDT)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        "Conrad E. Meyer" <cem@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org,  svn-src-head@freebsd.org
Subject:   Re: svn commit: r299514 - head/sys/fs/nfsserver
Message-ID:  <591151865.97516789.1463051924304.JavaMail.zimbra@uoguelph.ca>
In-Reply-To: <201605120503.u4C53CiH062765@repo.freebsd.org>
References:  <201605120503.u4C53CiH062765@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for spotting/fixing this, rick

----- Original Message -----
> Author: cem
> Date: Thu May 12 05:03:12 2016
> New Revision: 299514
> URL: https://svnweb.freebsd.org/changeset/base/299514
> 
> Log:
>   nfsd: Fix use-after-free in NFS4 lock test service
>   
>   Trivial use-after-free where stp was freed too soon in the non-error path.
>   To fix, simply move its release to the end of the routine.
>   
>   Reported by:	Coverity
>   CID:		1006105
>   Sponsored by:	EMC / Isilon Storage Division
> 
> Modified:
>   head/sys/fs/nfsserver/nfs_nfsdserv.c
> 
> Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c
> ==============================================================================
> --- head/sys/fs/nfsserver/nfs_nfsdserv.c	Thu May 12 04:54:32 2016	(r299513)
> +++ head/sys/fs/nfsserver/nfs_nfsdserv.c	Thu May 12 05:03:12 2016	(r299514)
> @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
>  	if (!nd->nd_repstat)
>  	  nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
>  	    &stateid, exp, nd, p);
> -	if (stp)
> -		FREE((caddr_t)stp, M_NFSDSTATE);
>  	if (nd->nd_repstat) {
>  	    if (nd->nd_repstat == NFSERR_DENIED) {
>  		NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
> @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
>  	    }
>  	}
>  	vput(vp);
> +	if (stp)
> +		FREE((caddr_t)stp, M_NFSDSTATE);
>  	NFSEXITCODE2(0, nd);
>  	return (0);
>  nfsmout:
> 
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?591151865.97516789.1463051924304.JavaMail.zimbra>