Author: cem
Date: Thu May 12 05:03:12 2016
New Revision: 299514
URL: https://svnweb.freebsd.org/changeset/base/299514
Log:
nfsd: Fix use-after-free in NFS4 lock test service
Trivial use-after-free where stp was freed too soon in the non-error path.
To fix, simply move its release to the end of the routine.
Reported by: Coverity
CID: 1006105
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/fs/nfsserver/nfs_nfsdserv.c
Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 04:54:32 2016
(r299513)
+++ head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 05:03:12 2016
(r299514)
@@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
if (!nd->nd_repstat)
nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
&stateid, exp, nd, p);
- if (stp)
- FREE((caddr_t)stp, M_NFSDSTATE);
if (nd->nd_repstat) {
if (nd->nd_repstat == NFSERR_DENIED) {
NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
}
}
vput(vp);
+ if (stp)
+ FREE((caddr_t)stp, M_NFSDSTATE);
NFSEXITCODE2(0, nd);
return (0);
nfsmout:
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
