svn commit: r295574 - head/sys/fs/tmpfs
Mark Johnston
markj at FreeBSD.org
Fri Feb 12 20:43:54 UTC 2016
Author: markj
Date: Fri Feb 12 20:43:53 2016
New Revision: 295574
URL: https://svnweb.freebsd.org/changeset/base/295574
Log:
Clear the cookie pointer on error in tmpfs_readdir().
It is otherwise left dangling, and callers that request cookies always free
the cookie buffer, even when VOP_READDIR(9) returns an error. This results
in a double free if tmpfs_readdir() returns an error to the NFS server or
the Linux getdents(2) emulation code.
Reported by: pho
MFC after: 1 week
Security: double free of malloc(9)-backed memory
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/fs/tmpfs/tmpfs_vnops.c
Modified: head/sys/fs/tmpfs/tmpfs_vnops.c
==============================================================================
--- head/sys/fs/tmpfs/tmpfs_vnops.c Fri Feb 12 20:14:03 2016 (r295573)
+++ head/sys/fs/tmpfs/tmpfs_vnops.c Fri Feb 12 20:43:53 2016 (r295574)
@@ -1191,8 +1191,11 @@ tmpfs_readdir(struct vop_readdir_args *v
if (error == EJUSTRETURN)
error = (uio->uio_resid != startresid) ? 0 : EINVAL;
- if (error != 0 && cookies != NULL)
+ if (error != 0 && cookies != NULL && ncookies != NULL) {
free(*cookies, M_TEMP);
+ *cookies = NULL;
+ *ncookies = 0;
+ }
if (eofflag != NULL)
*eofflag =
More information about the svn-src-head
mailing list