Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Jan 2021 22:03:02 GMT
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: f6dc363f6dd2 - main - nfs-over-tls: handle res.gid.gid_val correctly for memory allocation
Message-ID:  <202101122203.10CM32a3001234@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=f6dc363f6dd2f6daa8cb59ecff6964fb86064f9f

commit f6dc363f6dd2f6daa8cb59ecff6964fb86064f9f
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-01-12 21:59:52 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-01-12 21:59:52 +0000

    nfs-over-tls: handle res.gid.gid_val correctly for memory allocation
    
    When the server side nfs-over-tls does an upcall to rpc.tlsservd(8)
    for the handshake and the rpc.tlsservd "-u" command line option has
    been specified, a list of gids may be returned.
    The list will be returned in malloc'd memory pointed to by
    res.gid.gid_val. To ensure the malloc occurs, res.gid.gid_val must
    be NULL before the call. Then, the malloc'd memory needs to be free'd.
    mem_free() just calls free(9), so a NULL pointer argument is fine
    and a length argument == 0 is ok, since the "len" argument is not used.
    
    This bug would have only affected nfs-over-tls and only when
    rpc.tlsservd(8) is running with the "-u" command line option.
---
 sys/rpc/rpcsec_tls/rpctls_impl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/rpc/rpcsec_tls/rpctls_impl.c b/sys/rpc/rpcsec_tls/rpctls_impl.c
index 638f27eaf350..110ba107540a 100644
--- a/sys/rpc/rpcsec_tls/rpctls_impl.c
+++ b/sys/rpc/rpcsec_tls/rpctls_impl.c
@@ -573,6 +573,7 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp,
 	mtx_unlock(&rpctls_server_lock);
 
 	/* Do the server upcall. */
+	res.gid.gid_val = NULL;
 	stat = rpctlssd_connect_1(NULL, &res, cl);
 	if (stat == RPC_SUCCESS) {
 		*flags = res.flags;
@@ -598,6 +599,7 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp,
 		soshutdown(so, SHUT_RD);
 	}
 	CLNT_RELEASE(cl);
+	mem_free(res.gid.gid_val, 0);
 
 	/* Once the upcall is done, the daemon is done with the fp and so. */
 	mtx_lock(&rpctls_server_lock);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101122203.10CM32a3001234>