svn commit: r299514 - head/sys/fs/nfsserver
Conrad E. Meyer
cem at FreeBSD.org
Thu May 12 05:03:13 UTC 2016
Author: cem
Date: Thu May 12 05:03:12 2016
New Revision: 299514
URL: https://svnweb.freebsd.org/changeset/base/299514
Log:
nfsd: Fix use-after-free in NFS4 lock test service
Trivial use-after-free where stp was freed too soon in the non-error path.
To fix, simply move its release to the end of the routine.
Reported by: Coverity
CID: 1006105
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/fs/nfsserver/nfs_nfsdserv.c
Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 04:54:32 2016 (r299513)
+++ head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 05:03:12 2016 (r299514)
@@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
if (!nd->nd_repstat)
nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
&stateid, exp, nd, p);
- if (stp)
- FREE((caddr_t)stp, M_NFSDSTATE);
if (nd->nd_repstat) {
if (nd->nd_repstat == NFSERR_DENIED) {
NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
}
}
vput(vp);
+ if (stp)
+ FREE((caddr_t)stp, M_NFSDSTATE);
NFSEXITCODE2(0, nd);
return (0);
nfsmout:
More information about the svn-src-head
mailing list