upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Clear the cookie pointer on error in tmpfs_readdir().

Browse source 
It is otherwise left dangling, and callers that request cookies always free
the cookie buffer, even when VOP_READDIR(9) returns an error. This results
in a double free if tmpfs_readdir() returns an error to the NFS server or
the Linux getdents(2) emulation code.

Reported by:	pho
MFC after:	1 week
Security:	double free of malloc(9)-backed memory
Sponsored by:	EMC / Isilon Storage Division
This commit is contained in:
Mark Johnston 2016-02-12 20:43:53 +00:00
parent 748d440809
commit 785eb42adf
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
sys/fs/tmpfs/tmpfs_vnops.c
View file

@ -1191,8 +1191,11 @@ tmpfs_readdir(struct vop_readdir_args *v)
if (error == EJUSTRETURN)
error = (uio->uio_resid != startresid) ? 0 : EINVAL;
if (error != 0 && cookies != NULL)
if (error != 0 && cookies != NULL && ncookies != NULL) {
free(*cookies, M_TEMP);
*cookies = NULL;
*ncookies = 0;
}
if (eofflag != NULL)
*eofflag =