Author: rmacklem
Date: Fri May 27 23:15:58 2016
New Revision: 300887
URL: https://svnweb.freebsd.org/changeset/base/300887
Log:
MFC: r299514
Fix use-after-free in NFS4 lock test service.
Trivial use-after-free where stp was freed too soon in the non-error path.
To fix, simply move its release to the end of the routine.
Modified:
stable/9/sys/fs/nfsserver/nfs_nfsdserv.c
Directory Properties:
stable/9/sys/ (props changed)
stable/9/sys/fs/ (props changed)
Modified: stable/9/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- stable/9/sys/fs/nfsserver/nfs_nfsdserv.c Fri May 27 23:03:44 2016
(r300886)
+++ stable/9/sys/fs/nfsserver/nfs_nfsdserv.c Fri May 27 23:15:58 2016
(r300887)
@@ -2395,8 +2395,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
if (!nd->nd_repstat)
nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
&stateid, exp, nd, p);
- if (stp)
- FREE((caddr_t)stp, M_NFSDSTATE);
if (nd->nd_repstat) {
if (nd->nd_repstat == NFSERR_DENIED) {
NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2418,6 +2416,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
}
}
vput(vp);
+ if (stp)
+ FREE((caddr_t)stp, M_NFSDSTATE);
NFSEXITCODE2(0, nd);
return (0);
nfsmout:
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "[email protected]"
