aboutsummaryrefslogtreecommitdiff
path: root/sys/fs/nfsserver
diff options
context:
space:
mode:
authorConrad Meyer <cem@FreeBSD.org>2016-05-12 05:03:12 +0000
committerConrad Meyer <cem@FreeBSD.org>2016-05-12 05:03:12 +0000
commit5ecc225fc593a28a210fe7d494e8a8ddcf495f7a (patch)
tree94c56e44a129dcfb9d4bae20f061830b40757afe /sys/fs/nfsserver
parent5c4eb897462928e39604144796e7ffa206845616 (diff)
downloadsrc-5ecc225fc593a28a210fe7d494e8a8ddcf495f7a.tar.gz
src-5ecc225fc593a28a210fe7d494e8a8ddcf495f7a.zip
nfsd: Fix use-after-free in NFS4 lock test service
Trivial use-after-free where stp was freed too soon in the non-error path. To fix, simply move its release to the end of the routine. Reported by: Coverity CID: 1006105 Sponsored by: EMC / Isilon Storage Division
Notes
Notes: svn path=/head/; revision=299514
Diffstat (limited to 'sys/fs/nfsserver')
-rw-r--r--sys/fs/nfsserver/nfs_nfsdserv.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 2a0c9cfddef7..54fad67dda3c 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram,
if (!nd->nd_repstat)
nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
&stateid, exp, nd, p);
- if (stp)
- FREE((caddr_t)stp, M_NFSDSTATE);
if (nd->nd_repstat) {
if (nd->nd_repstat == NFSERR_DENIED) {
NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram,
}
}
vput(vp);
+ if (stp)
+ FREE((caddr_t)stp, M_NFSDSTATE);
NFSEXITCODE2(0, nd);
return (0);
nfsmout:
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-24 01:19:24 +0000