Date: Fri, 24 Jan 2014 19:41:41 +0100 From: Roman Divacky <rdivacky@freebsd.org> To: fs@freebsd.org Subject: BUG: possible NULL pointer dereference in nfs server Message-ID: <20140124184141.GA19458@freebsd.org>
next in thread | raw e-mail | index | archive | help
Hi, In nfs_nfsdstate.c:nfsrv_lockctrl() we call getlckret = nfsrv_getlockfh(vp, new_stp->ls_flags, NULL, &nfh, p); then in nfsrv_getlockfh() we, based on the value of flags, might dereference the NULL pointer: nfsrv_getlockfh(vnode_t vp, u_short flags, struct nfslockfile **new_lfpp, fhandle_t *nfhp, NFSPROC_T *p) if (flags & NFSLCK_OPEN) { new_lfp = *new_lfpp; fhp = &new_lfp->lf_fh; I am not sure what the right fix is. Or if it's even possible to hit (but I think it is). Anyway the compiler currently generates a trap instruction (ud2 on x86) in this code. It's the only trap in GENERIC btw. Would be lovely to fix this. Roman P.S. CC me on your replies as I am not subscribed to the list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140124184141.GA19458>