Commit 1a3cac6c authored by Eric Van Hensbergen's avatar Eric Van Hensbergen Committed by Eric Van Hensbergen

9p: fix use after free

On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote:
     The Coverity checker spotted the following use-after-free
     in net/9p/mux.c:

     <--  snip  -->

     ...
     struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
                                         unsigned char *extended)
     {
     ...
             if (!m->tagpool) {
                     kfree(m);
                     return ERR_PTR(PTR_ERR(m->tagpool));
             }
     ...

     <--  snip  -->

Also spotted was a leak of the same structure further down in the function.
Signed-off-by: default avatarEric Van Hensbergen <ericvh@gmail.com>
parent 8eb891fc
...@@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, ...@@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
m->extended = extended; m->extended = extended;
m->trans = trans; m->trans = trans;
m->tagpool = p9_idpool_create(); m->tagpool = p9_idpool_create();
if (!m->tagpool) { if (IS_ERR(m->tagpool)) {
mtmp = ERR_PTR(-ENOMEM);
kfree(m); kfree(m);
return ERR_PTR(PTR_ERR(m->tagpool)); return mtmp;
} }
m->err = 0; m->err = 0;
...@@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, ...@@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
m->poll_task = NULL; m->poll_task = NULL;
n = p9_mux_poll_start(m); n = p9_mux_poll_start(m);
if (n) if (n) {
kfree(m);
return ERR_PTR(n); return ERR_PTR(n);
}
n = trans->poll(trans, &m->pt); n = trans->poll(trans, &m->pt);
if (n & POLLIN) { if (n & POLLIN) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment