Date: Fri, 12 Feb 2016 20:43:53 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r295574 - head/sys/fs/tmpfs Message-ID: <201602122043.u1CKhrxK029330@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Fri Feb 12 20:43:53 2016 New Revision: 295574 URL: https://svnweb.freebsd.org/changeset/base/295574 Log: Clear the cookie pointer on error in tmpfs_readdir(). It is otherwise left dangling, and callers that request cookies always free the cookie buffer, even when VOP_READDIR(9) returns an error. This results in a double free if tmpfs_readdir() returns an error to the NFS server or the Linux getdents(2) emulation code. Reported by: pho MFC after: 1 week Security: double free of malloc(9)-backed memory Sponsored by: EMC / Isilon Storage Division Modified: head/sys/fs/tmpfs/tmpfs_vnops.c Modified: head/sys/fs/tmpfs/tmpfs_vnops.c ============================================================================== --- head/sys/fs/tmpfs/tmpfs_vnops.c Fri Feb 12 20:14:03 2016 (r295573) +++ head/sys/fs/tmpfs/tmpfs_vnops.c Fri Feb 12 20:43:53 2016 (r295574) @@ -1191,8 +1191,11 @@ tmpfs_readdir(struct vop_readdir_args *v if (error == EJUSTRETURN) error = (uio->uio_resid != startresid) ? 0 : EINVAL; - if (error != 0 && cookies != NULL) + if (error != 0 && cookies != NULL && ncookies != NULL) { free(*cookies, M_TEMP); + *cookies = NULL; + *ncookies = 0; + } if (eofflag != NULL) *eofflag =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602122043.u1CKhrxK029330>