The tmpfs_link() must not dereference the filesystem-specific data for

a vnode until it is verified that the vnode indeed belongs to tmpfs mount. Otherwise, it might access random memory, at least in the debug kernel. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 2 weeks
svn path=/head/; revision=268608
2025-01-26 16:18:31 +00:00 · 2014-07-14 08:45:29 +00:00 · 2014-07-14 08:45:29 +00:00 · 706f80801d · 2020-12-20 02:59:44 +00:00
commit 706f80801d
parent 57ef02ff0f
1 changed files with 2 additions and 2 deletions
--- a/sys/fs/tmpfs/tmpfs_vnops.c
+++ b/sys/fs/tmpfs/tmpfs_vnops.c
@ -570,8 +570,6 @@ tmpfs_link(struct vop_link_args *v)
 	MPASS(cnp->cn_flags & HASBUF);
 	MPASS(dvp != vp); /* XXX When can this be false? */

-	node = VP_TO_TMPFS_NODE(vp);
-
 	/* XXX: Why aren't the following two tests done by the caller? */

 	/* Hard links of directories are forbidden. */
@ -586,6 +584,8 @@ tmpfs_link(struct vop_link_args *v)
 		goto out;
 	}

+	node = VP_TO_TMPFS_NODE(vp);
+
 	/* Ensure that we do not overflow the maximum number of links imposed
 	 * by the system. */
 	MPASS(node->tn_links <= LINK_MAX);