diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2016-02-12 20:43:53 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2016-02-12 20:43:53 +0000 |
| commit | 785eb42adf81e2572d594dcba805fb44bcabeadd (patch) | |
| tree | 1ee86a85785a6c517a0c97af430dd6915da9901c /sys/fs | |
| parent | 748d440809cc37eed158c5ee5485c27b45afdce3 (diff) | |
| download | src-785eb42adf81e2572d594dcba805fb44bcabeadd.tar.gz src-785eb42adf81e2572d594dcba805fb44bcabeadd.zip | |
Clear the cookie pointer on error in tmpfs_readdir().
It is otherwise left dangling, and callers that request cookies always free
the cookie buffer, even when VOP_READDIR(9) returns an error. This results
in a double free if tmpfs_readdir() returns an error to the NFS server or
the Linux getdents(2) emulation code.
Reported by: pho
MFC after: 1 week
Security: double free of malloc(9)-backed memory
Sponsored by: EMC / Isilon Storage Division
Notes
Notes:
svn path=/head/; revision=295574
Diffstat (limited to 'sys/fs')
| -rw-r--r-- | sys/fs/tmpfs/tmpfs_vnops.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c index 9bdb1e90917c..bf42ffedad8f 100644 --- a/sys/fs/tmpfs/tmpfs_vnops.c +++ b/sys/fs/tmpfs/tmpfs_vnops.c @@ -1191,8 +1191,11 @@ tmpfs_readdir(struct vop_readdir_args *v) if (error == EJUSTRETURN) error = (uio->uio_resid != startresid) ? 0 : EINVAL; - if (error != 0 && cookies != NULL) + if (error != 0 && cookies != NULL && ncookies != NULL) { free(*cookies, M_TEMP); + *cookies = NULL; + *ncookies = 0; + } if (eofflag != NULL) *eofflag = |