Date: Fri, 24 Jan 2014 19:41:41 +0100 From: Roman Divacky <rdivacky@freebsd.org> To: fs@freebsd.org Subject: BUG: possible NULL pointer dereference in nfs server Message-ID: <20140124184141.GA19458@freebsd.org>
next in thread | raw e-mail | index | archive | help
Hi,
In nfs_nfsdstate.c:nfsrv_lockctrl() we call
getlckret = nfsrv_getlockfh(vp, new_stp->ls_flags, NULL, &nfh, p);
then in nfsrv_getlockfh() we, based on the value of flags, might
dereference the NULL pointer:
nfsrv_getlockfh(vnode_t vp, u_short flags,
struct nfslockfile **new_lfpp, fhandle_t *nfhp, NFSPROC_T *p)
if (flags & NFSLCK_OPEN) {
new_lfp = *new_lfpp;
fhp = &new_lfp->lf_fh;
I am not sure what the right fix is. Or if it's even possible to hit
(but I think it is). Anyway the compiler currently generates
a trap instruction (ud2 on x86) in this code. It's the only trap
in GENERIC btw.
Would be lovely to fix this.
Roman
P.S. CC me on your replies as I am not subscribed to the list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140124184141.GA19458>