On 07/11/2018 03:26 AM, jiangyiwen wrote: > On 2018/7/10 6:29, Tomas Bortoli wrote: >> The p9_client_version() does not initialize the version >> pointer. If the call to p9pdu_readf() returns an error and version has not >> been allocated in p9pdu_readf(), then the program will jump to the "error" >> label and will try to free the version pointer. If version is not >> initialized, free() will be called with uninitialized, garbage data and >> will provoke a crash. >> >> Signed-off-by: Tomas Bortoli <[email protected]> > Reviewed-by: Yiwen Jiang <[email protected]> > >> Reported-by: [email protected] >> --- >> net/9p/client.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/net/9p/client.c b/net/9p/client.c >> index 18c5271910dc..40f7c47f2f74 100644 >> --- a/net/9p/client.c >> +++ b/net/9p/client.c >> @@ -957,7 +957,7 @@ static int p9_client_version(struct p9_client *c) >> { >> int err = 0; >> struct p9_req_t *req; >> - char *version; >> + char *version = NULL; >> int msize; >> >> p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n", >> >
+ Cc: Andrew Morton <[email protected]> This goes with the other patch: [V9fs-developer] [PATCH] p9_parse_header() validate PDU length Tomas
