Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Mar 2011 10:57:57 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r219986 - head/sys/compat/freebsd32
Message-ID:  <201103251057.p2PAvvkL078930@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kib
Date: Fri Mar 25 10:57:57 2011
New Revision: 219986
URL: http://svn.freebsd.org/changeset/base/219986

Log:
  Fix file leakage in the freebsd32_ioctl routines.
  
  Code inspection shows freebsd32_ioctl calls fget for a fd and calls
  a subroutine to handle each specific ioctl.  It is expected that the
  subroutine will call fdrop when done.  However many of the subroutines
  will exit out early if copyin encounters an error resulting in fdrop
  never being called.
  
  Submitted by:	John Wehle <john feith com>
  MFC after:	3 days

Modified:
  head/sys/compat/freebsd32/freebsd32_ioctl.c

Modified: head/sys/compat/freebsd32/freebsd32_ioctl.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_ioctl.c	Fri Mar 25 10:55:25 2011	(r219985)
+++ head/sys/compat/freebsd32/freebsd32_ioctl.c	Fri Mar 25 10:57:57 2011	(r219986)
@@ -70,7 +70,6 @@ freebsd32_ioctl_md(struct thread *td, st
 		panic("%s: where is my ioctl data??", __func__);
 	if (uap->com & IOC_IN) {
 		if ((error = copyin(uap->data, &md32, sizeof(md32)))) {
-			fdrop(fp, td);
 			return (error);
 		}
 		CP(md32, mdv, md_version);
@@ -121,7 +120,6 @@ freebsd32_ioctl_md(struct thread *td, st
 		CP(mdv, md32, md_fwsectors);
 		error = copyout(&md32, uap->data, sizeof(md32));
 	}
-	fdrop(fp, td);
 	return error;
 }
 
@@ -144,7 +142,6 @@ freebsd32_ioctl_ioc_toc_header(struct th
 	CP(toch32, toch, ending_track);
 	error = fo_ioctl(fp, CDIOREADTOCHEADER, (caddr_t)&toch,
 	    td->td_ucred, td);
-	fdrop(fp, td);
 	return (error);
 }
 
@@ -175,7 +172,6 @@ freebsd32_ioctl_ioc_read_toc(struct thre
 		PTROUT_CP(toce, toce32, data);
 		error = copyout(&toce32, uap->data, sizeof(toce32));
 	}
-	fdrop(fp, td);
 	return error;
 }
 
@@ -192,7 +188,6 @@ freebsd32_ioctl_fiodgname(struct thread 
 	CP(fgn32, fgn, len);
 	PTRIN_CP(fgn32, fgn, buf);
 	error = fo_ioctl(fp, FIODGNAME, (caddr_t)&fgn, td->td_ucred, td);
-	fdrop(fp, td);
 	return (error);
 }
 
@@ -219,16 +214,20 @@ freebsd32_ioctl(struct thread *td, struc
 	case MDIOCDETACH_32:	/* FALLTHROUGH */
 	case MDIOCQUERY_32:	/* FALLTHROUGH */
 	case MDIOCLIST_32:
-		return freebsd32_ioctl_md(td, uap, fp);
+		error = freebsd32_ioctl_md(td, uap, fp);
+		break;
 
 	case CDIOREADTOCENTRYS_32:
-		return freebsd32_ioctl_ioc_read_toc(td, uap, fp);
+		error = freebsd32_ioctl_ioc_read_toc(td, uap, fp);
+		break;
 
 	case CDIOREADTOCHEADER_32:
-		return freebsd32_ioctl_ioc_toc_header(td, uap, fp);
+		error = freebsd32_ioctl_ioc_toc_header(td, uap, fp);
+		break;
 
 	case FIODGNAME_32:
-		return freebsd32_ioctl_fiodgname(td, uap, fp);
+		error = freebsd32_ioctl_fiodgname(td, uap, fp);
+		break;
 
 	default:
 		fdrop(fp, td);
@@ -237,4 +236,7 @@ freebsd32_ioctl(struct thread *td, struc
 		PTRIN_CP(*uap, ap, data);
 		return ioctl(td, &ap);
 	}
+
+	fdrop(fp, td);
+	return error;
 }



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103251057.p2PAvvkL078930>