Oh, and I'll MFC it in 2 weeks unless there is an objection, rick
----- Original Message ----- > Author: cem > Date: Thu May 12 05:03:12 2016 > New Revision: 299514 > URL: https://svnweb.freebsd.org/changeset/base/299514 > > Log: > nfsd: Fix use-after-free in NFS4 lock test service > > Trivial use-after-free where stp was freed too soon in the non-error path. > To fix, simply move its release to the end of the routine. > > Reported by: Coverity > CID: 1006105 > Sponsored by: EMC / Isilon Storage Division > > Modified: > head/sys/fs/nfsserver/nfs_nfsdserv.c > > Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c > ============================================================================== > --- head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 04:54:32 2016 > (r299513) > +++ head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 05:03:12 2016 > (r299514) > @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, > if (!nd->nd_repstat) > nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid, > &stateid, exp, nd, p); > - if (stp) > - FREE((caddr_t)stp, M_NFSDSTATE); > if (nd->nd_repstat) { > if (nd->nd_repstat == NFSERR_DENIED) { > NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED); > @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, > } > } > vput(vp); > + if (stp) > + FREE((caddr_t)stp, M_NFSDSTATE); > NFSEXITCODE2(0, nd); > return (0); > nfsmout: > > _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
