Commit 1a3cac6c6d1f56dc26939eb41be29844f897c15a
Committed by
Eric Van Hensbergen
Eric Van Hensbergen
1 parent
8eb891fc80
Exists in
master
and in
7 other branches
9p: fix use after free
On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote:
The Coverity checker spotted the following use-after-free
in net/9p/mux.c:
<-- snip -->
...
struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
unsigned char *extended)
{
...
if (!m->tagpool) {
kfree(m);
return ERR_PTR(PTR_ERR(m->tagpool));
}
...
<-- snip -->
Also spotted was a leak of the same structure further down in the function.
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Showing 1 changed file with 6 additions and 3 deletions Side-by-side Diff
net/9p/mux.c
| ... | ... | @@ -288,9 +288,10 @@ |
| 288 | 288 | m->extended = extended; |
| 289 | 289 | m->trans = trans; |
| 290 | 290 | m->tagpool = p9_idpool_create(); |
| 291 | - if (!m->tagpool) { | |
| 291 | + if (IS_ERR(m->tagpool)) { | |
| 292 | + mtmp = ERR_PTR(-ENOMEM); | |
| 292 | 293 | kfree(m); |
| 293 | - return ERR_PTR(PTR_ERR(m->tagpool)); | |
| 294 | + return mtmp; | |
| 294 | 295 | } |
| 295 | 296 | |
| 296 | 297 | m->err = 0; |
| 297 | 298 | |
| ... | ... | @@ -308,8 +309,10 @@ |
| 308 | 309 | memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); |
| 309 | 310 | m->poll_task = NULL; |
| 310 | 311 | n = p9_mux_poll_start(m); |
| 311 | - if (n) | |
| 312 | + if (n) { | |
| 313 | + kfree(m); | |
| 312 | 314 | return ERR_PTR(n); |
| 315 | + } | |
| 313 | 316 | |
| 314 | 317 | n = trans->poll(trans, &m->pt); |
| 315 | 318 | if (n & POLLIN) { |