From owner-svn-src-head@FreeBSD.ORG Wed Jul 3 10:31:45 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id F02D3272; Wed, 3 Jul 2013 10:31:45 +0000 (UTC) (envelope-from davide@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id E1F121BAC; Wed, 3 Jul 2013 10:31:45 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r63AVjQs026409; Wed, 3 Jul 2013 10:31:45 GMT (envelope-from davide@svn.freebsd.org) Received: (from davide@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r63AVjPL026408; Wed, 3 Jul 2013 10:31:45 GMT (envelope-from davide@svn.freebsd.org) Message-Id: <201307031031.r63AVjPL026408@svn.freebsd.org> From: Davide Italiano Date: Wed, 3 Jul 2013 10:31:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r252558 - head/sys/fs/smbfs X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 10:31:46 -0000 Author: davide Date: Wed Jul 3 10:31:45 2013 New Revision: 252558 URL: http://svnweb.freebsd.org/changeset/base/252558 Log: - Fix double frees/user after free. - Allocate using smb_rq_alloc() instead of inlining it. Reported by: uqs Found with: Coverity Scan Modified: head/sys/fs/smbfs/smbfs_smb.c Modified: head/sys/fs/smbfs/smbfs_smb.c ============================================================================== --- head/sys/fs/smbfs/smbfs_smb.c Wed Jul 3 09:50:59 2013 (r252557) +++ head/sys/fs/smbfs/smbfs_smb.c Wed Jul 3 10:31:45 2013 (r252558) @@ -94,12 +94,10 @@ smbfs_smb_lockandx(struct smbnode *np, i if (op == SMB_LOCK_SHARED) ltype |= SMB_LOCKING_ANDX_SHARED_LOCK; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint8(mbp, 0xff); /* secondary command */ @@ -119,7 +117,6 @@ smbfs_smb_lockandx(struct smbnode *np, i smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -188,19 +185,16 @@ smbfs_smb_statfs(struct smb_share *ssp, u_int16_t units, bpu, bsize, funits; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK, + scred, &rqp); + if (error) + return (error); smb_rq_wstart(rqp); smb_rq_wend(rqp); smb_rq_bstart(rqp); smb_rq_bend(rqp); error = smb_rq_simple(rqp); if (error) { - free(rqp, M_SMBFSDATA); smb_rq_done(rqp); return error; } @@ -216,7 +210,6 @@ smbfs_smb_statfs(struct smb_share *ssp, sbp->f_files = 0xffff; /* total file nodes in filesystem */ sbp->f_ffree = 0xffff; /* free file nodes in fs */ smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return 0; } @@ -260,12 +253,9 @@ smb_smb_flush(struct smbnode *np, struct if ((np->n_flag & NOPEN) == 0 || !SMBTOV(np) || SMBTOV(np)->v_type != VREG) return 0; /* not a regular open file */ - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_FLUSH, scred); - if (error) { - free(rqp, M_SMBFSDATA); + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_FLUSH, scred, &rqp); + if (error) return (error); - } smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM); @@ -274,7 +264,6 @@ smb_smb_flush(struct smbnode *np, struct smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); if (!error) np->n_flag &= ~NFLUSHWIRE; return (error); @@ -301,12 +290,9 @@ smbfs_smb_setfsize(struct smbnode *np, i return (0); } - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_WRITE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_WRITE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM); @@ -320,7 +306,6 @@ smbfs_smb_setfsize(struct smbnode *np, i smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -337,12 +322,10 @@ smbfs_smb_query_info(struct smbnode *np, u_int16_t wattr; u_int32_t lint; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred, + &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); smb_rq_wend(rqp); @@ -377,7 +360,6 @@ smbfs_smb_query_info(struct smbnode *np, fap->fa_size = lint; } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -394,12 +376,10 @@ smbfs_smb_setpattr(struct smbnode *np, u u_long time; int error, svtz; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred, + &rqp); + if (error) + return (error); svtz = SSTOVC(ssp)->vc_sopt.sv_tz; smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); @@ -431,7 +411,6 @@ smbfs_smb_setpattr(struct smbnode *np, u } } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -554,12 +533,10 @@ smbfs_smb_setftime(struct smbnode *np, s u_int16_t date, time; int error, tzoff; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred, + &rqp); + if (error) + return (error); tzoff = SSTOVC(ssp)->vc_sopt.sv_tz; smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); @@ -584,7 +561,6 @@ smbfs_smb_setftime(struct smbnode *np, s error = smb_rq_simple(rqp); SMBSDEBUG("%d\n", error); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -648,12 +624,9 @@ smbfs_smb_open(struct smbnode *np, int a u_int16_t fid, wattr, grantedmode; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_OPEN, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_OPEN, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, accmode); @@ -684,7 +657,6 @@ smbfs_smb_open(struct smbnode *np, int a */ } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); if (error) return error; np->n_fid = fid; @@ -702,12 +674,9 @@ smbfs_smb_close(struct smb_share *ssp, u u_long time; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CLOSE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CLOSE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&fid, sizeof(fid), MB_MSYSTEM); @@ -721,7 +690,6 @@ smbfs_smb_close(struct smb_share *ssp, u smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -739,12 +707,9 @@ smbfs_smb_create(struct smbnode *dnp, co u_long tm; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_FA_ARCHIVE); /* attributes */ @@ -771,7 +736,6 @@ smbfs_smb_create(struct smbnode *dnp, co if (error) return error; smbfs_smb_close(ssp, fid, &ctime, scred); - free(rqp, M_SMBFSDATA); return error; } @@ -783,12 +747,9 @@ smbfs_smb_delete(struct smbnode *np, str struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN); @@ -801,7 +762,6 @@ smbfs_smb_delete(struct smbnode *np, str error = smb_rq_simple(rqp); } smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -814,12 +774,9 @@ smbfs_smb_rename(struct smbnode *src, st struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_RENAME, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_RENAME, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN); @@ -838,7 +795,6 @@ smbfs_smb_rename(struct smbnode *src, st error = smb_rq_simple(rqp); } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -851,12 +807,9 @@ smbfs_smb_move(struct smbnode *src, stru struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_MOVE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_MOVE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_TID_UNKNOWN); @@ -877,7 +830,6 @@ smbfs_smb_move(struct smbnode *src, stru error = smb_rq_simple(rqp); } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -890,12 +842,10 @@ smbfs_smb_mkdir(struct smbnode *dnp, con struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred, + &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); smb_rq_wend(rqp); @@ -907,7 +857,6 @@ smbfs_smb_mkdir(struct smbnode *dnp, con error = smb_rq_simple(rqp); } smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -919,12 +868,10 @@ smbfs_smb_rmdir(struct smbnode *np, stru struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred, + &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); smb_rq_wend(rqp); @@ -936,7 +883,6 @@ smbfs_smb_rmdir(struct smbnode *np, stru error = smb_rq_simple(rqp); } smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -958,7 +904,7 @@ smbfs_smb_search(struct smbfs_fctx *ctx) } error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_SEARCH, ctx->f_scred, &rqp); if (error) - return error; + return (error); ctx->f_rq = rqp; smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); @@ -1204,12 +1150,10 @@ smbfs_smb_findclose2(struct smbfs_fctx * struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2, ctx->f_scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2, + ctx->f_scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&ctx->f_Sid, 2, MB_MSYSTEM); @@ -1218,7 +1162,6 @@ smbfs_smb_findclose2(struct smbfs_fctx * smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; }