Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a3cac6c6d1f56dc26939eb41be29844f897c15a
Commit:     1a3cac6c6d1f56dc26939eb41be29844f897c15a
Parent:     8eb891fc809b2300137bcd247025628c06c95a63
Author:     Eric Van Hensbergen <[EMAIL PROTECTED]>
AuthorDate: Thu Jul 26 14:04:54 2007 -0500
Committer:  Eric Van Hensbergen <[EMAIL PROTECTED]>
CommitDate: Thu Aug 23 10:12:48 2007 -0500

    9p: fix use after free
    
    On 7/22/07, Adrian Bunk <[EMAIL PROTECTED]> wrote:
         The Coverity checker spotted the following use-after-free
         in net/9p/mux.c:
    
         <--  snip  -->
    
         ...
         struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
                                             unsigned char *extended)
         {
         ...
                 if (!m->tagpool) {
                         kfree(m);
                         return ERR_PTR(PTR_ERR(m->tagpool));
                 }
         ...
    
         <--  snip  -->
    
    Also spotted was a leak of the same structure further down in the function.
    
    Signed-off-by: Eric Van Hensbergen <[EMAIL PROTECTED]>
---
 net/9p/mux.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/9p/mux.c b/net/9p/mux.c
index acb0388..5d70558 100644
--- a/net/9p/mux.c
+++ b/net/9p/mux.c
@@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, 
int msize,
        m->extended = extended;
        m->trans = trans;
        m->tagpool = p9_idpool_create();
-       if (!m->tagpool) {
+       if (IS_ERR(m->tagpool)) {
+               mtmp = ERR_PTR(-ENOMEM);
                kfree(m);
-               return ERR_PTR(PTR_ERR(m->tagpool));
+               return mtmp;
        }
 
        m->err = 0;
@@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, 
int msize,
        memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
        m->poll_task = NULL;
        n = p9_mux_poll_start(m);
-       if (n)
+       if (n) {
+               kfree(m);
                return ERR_PTR(n);
+       }
 
        n = trans->poll(trans, &m->pt);
        if (n & POLLIN) {
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to