From 785eb42adf81e2572d594dcba805fb44bcabeadd Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Fri, 12 Feb 2016 20:43:53 +0000 Subject: [PATCH] Clear the cookie pointer on error in tmpfs_readdir(). It is otherwise left dangling, and callers that request cookies always free the cookie buffer, even when VOP_READDIR(9) returns an error. This results in a double free if tmpfs_readdir() returns an error to the NFS server or the Linux getdents(2) emulation code. Reported by: pho MFC after: 1 week Security: double free of malloc(9)-backed memory Sponsored by: EMC / Isilon Storage Division --- sys/fs/tmpfs/tmpfs_vnops.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c index 9bdb1e90917..bf42ffedad8 100644 --- a/sys/fs/tmpfs/tmpfs_vnops.c +++ b/sys/fs/tmpfs/tmpfs_vnops.c @@ -1191,8 +1191,11 @@ tmpfs_readdir(struct vop_readdir_args *v) if (error == EJUSTRETURN) error = (uio->uio_resid != startresid) ? 0 : EINVAL; - if (error != 0 && cookies != NULL) + if (error != 0 && cookies != NULL && ncookies != NULL) { free(*cookies, M_TEMP); + *cookies = NULL; + *ncookies = 0; + } if (eofflag != NULL) *eofflag =