Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 May 2016 23:15:58 +0000 (UTC)
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r300887 - stable/9/sys/fs/nfsserver
Message-ID:  <201605272315.u4RNFwFB003061@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rmacklem
Date: Fri May 27 23:15:58 2016
New Revision: 300887
URL: https://svnweb.freebsd.org/changeset/base/300887

Log:
  MFC: r299514
  Fix use-after-free in NFS4 lock test service.
  
  Trivial use-after-free where stp was freed too soon in the non-error path.
  To fix, simply move its release to the end of the routine.

Modified:
  stable/9/sys/fs/nfsserver/nfs_nfsdserv.c
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/fs/   (props changed)

Modified: stable/9/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- stable/9/sys/fs/nfsserver/nfs_nfsdserv.c	Fri May 27 23:03:44 2016	(r300886)
+++ stable/9/sys/fs/nfsserver/nfs_nfsdserv.c	Fri May 27 23:15:58 2016	(r300887)
@@ -2395,8 +2395,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, 
 	if (!nd->nd_repstat)
 	  nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
 	    &stateid, exp, nd, p);
-	if (stp)
-		FREE((caddr_t)stp, M_NFSDSTATE);
 	if (nd->nd_repstat) {
 	    if (nd->nd_repstat == NFSERR_DENIED) {
 		NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2418,6 +2416,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, 
 	    }
 	}
 	vput(vp);
+	if (stp)
+		FREE((caddr_t)stp, M_NFSDSTATE);
 	NFSEXITCODE2(0, nd);
 	return (0);
 nfsmout:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605272315.u4RNFwFB003061>