diff options
author | Conrad Meyer <cem@FreeBSD.org> | 2016-05-12 05:03:12 +0000 |
---|---|---|
committer | Conrad Meyer <cem@FreeBSD.org> | 2016-05-12 05:03:12 +0000 |
commit | 5ecc225fc593a28a210fe7d494e8a8ddcf495f7a (patch) | |
tree | 94c56e44a129dcfb9d4bae20f061830b40757afe /sys/fs/nfsserver | |
parent | 5c4eb897462928e39604144796e7ffa206845616 (diff) | |
download | src-5ecc225fc593a28a210fe7d494e8a8ddcf495f7a.tar.gz src-5ecc225fc593a28a210fe7d494e8a8ddcf495f7a.zip |
nfsd: Fix use-after-free in NFS4 lock test service
Trivial use-after-free where stp was freed too soon in the non-error path.
To fix, simply move its release to the end of the routine.
Reported by: Coverity
CID: 1006105
Sponsored by: EMC / Isilon Storage Division
Notes
Notes:
svn path=/head/; revision=299514
Diffstat (limited to 'sys/fs/nfsserver')
-rw-r--r-- | sys/fs/nfsserver/nfs_nfsdserv.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c index 2a0c9cfddef7..54fad67dda3c 100644 --- a/sys/fs/nfsserver/nfs_nfsdserv.c +++ b/sys/fs/nfsserver/nfs_nfsdserv.c @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram, if (!nd->nd_repstat) nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid, &stateid, exp, nd, p); - if (stp) - FREE((caddr_t)stp, M_NFSDSTATE); if (nd->nd_repstat) { if (nd->nd_repstat == NFSERR_DENIED) { NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED); @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram, } } vput(vp); + if (stp) + FREE((caddr_t)stp, M_NFSDSTATE); NFSEXITCODE2(0, nd); return (0); nfsmout: |