mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-26 16:18:31 +00:00
Code Issues Releases Activity

Clear the cookie pointer on error in tmpfs_readdir().

Browse Source 
It is otherwise left dangling, and callers that request cookies always free
the cookie buffer, even when VOP_READDIR(9) returns an error. This results
in a double free if tmpfs_readdir() returns an error to the NFS server or
the Linux getdents(2) emulation code.

Reported by:	pho
MFC after:	1 week
Security:	double free of malloc(9)-backed memory
Sponsored by:	EMC / Isilon Storage Division
This commit is contained in:
Mark Johnston 2016-02-12 20:43:53 +00:00
parent 748d440809
commit 785eb42adf
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=295574
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/fs/tmpfs/tmpfs_vnops.c
View File

@ -1191,8 +1191,11 @@ tmpfs_readdir(struct vop_readdir_args *v)
if (error == EJUSTRETURN)
error = (uio->uio_resid != startresid) ? 0 : EINVAL;
if (error != 0 && cookies != NULL)
if (error != 0 && cookies != NULL && ncookies != NULL) {
free(*cookies, M_TEMP);
*cookies = NULL;
*ncookies = 0;
}
if (eofflag != NULL)
*eofflag =