nfs-over-tls: handle res.gid.gid_val correctly for memory allocation

When the server side nfs-over-tls does an upcall to rpc.tlsservd(8) for the handshake and the rpc.tlsservd "-u" command line option has been specified, a list of gids may be returned. The list will be returned in malloc'd memory pointed to by res.gid.gid_val. To ensure the malloc occurs, res.gid.gid_val must be NULL before the call. Then, the malloc'd memory needs to be free'd. mem_free() just calls free(9), so a NULL pointer argument is fine and a length argument == 0 is ok, since the "len" argument is not used. This bug would have only affected nfs-over-tls and only when rpc.tlsservd(8) is running with the "-u" command line option.
2024-11-23 07:31:31 +00:00 · 2021-01-12 13:59:52 -08:00 · 2021-01-12 13:59:52 -08:00 · f6dc363f6d
commit f6dc363f6d
parent d2ceee38ca
1 changed files with 2 additions and 0 deletions
--- a/sys/rpc/rpcsec_tls/rpctls_impl.c
+++ b/sys/rpc/rpcsec_tls/rpctls_impl.c
@ -573,6 +573,7 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp,
 	mtx_unlock(&rpctls_server_lock);

 	/* Do the server upcall. */
+	res.gid.gid_val = NULL;
 	stat = rpctlssd_connect_1(NULL, &res, cl);
 	if (stat == RPC_SUCCESS) {
 		*flags = res.flags;
@ -598,6 +599,7 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp,
 		soshutdown(so, SHUT_RD);
 	}
 	CLNT_RELEASE(cl);
+	mem_free(res.gid.gid_val, 0);

 	/* Once the upcall is done, the daemon is done with the fp and so. */
 	mtx_lock(&rpctls_server_lock);