Author: rmacklem
Date: Thu May 26 21:32:16 2016
New Revision: 300778
URL: https://svnweb.freebsd.org/changeset/base/300778
Log:
MFC: r299514
Fix use-after-free in NFS4 lock test service.
Trivial use-after-free where stp was freed too soon in the non-error path.
To fix, simply move its release to the end of the routine.
Modified:
stable/10/sys/fs/nfsserver/nfs_nfsdserv.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- stable/10/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 26 21:09:07 2016
(r300777)
+++ stable/10/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 26 21:32:16 2016
(r300778)
@@ -2416,8 +2416,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
if (!nd->nd_repstat)
nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
&stateid, exp, nd, p);
- if (stp)
- FREE((caddr_t)stp, M_NFSDSTATE);
if (nd->nd_repstat) {
if (nd->nd_repstat == NFSERR_DENIED) {
NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2439,6 +2437,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
}
}
vput(vp);
+ if (stp)
+ FREE((caddr_t)stp, M_NFSDSTATE);
NFSEXITCODE2(0, nd);
return (0);
nfsmout:
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
