From f6dc363f6dd2f6daa8cb59ecff6964fb86064f9f Mon Sep 17 00:00:00 2001 From: Rick Macklem Date: Tue, 12 Jan 2021 13:59:52 -0800 Subject: [PATCH] nfs-over-tls: handle res.gid.gid_val correctly for memory allocation When the server side nfs-over-tls does an upcall to rpc.tlsservd(8) for the handshake and the rpc.tlsservd "-u" command line option has been specified, a list of gids may be returned. The list will be returned in malloc'd memory pointed to by res.gid.gid_val. To ensure the malloc occurs, res.gid.gid_val must be NULL before the call. Then, the malloc'd memory needs to be free'd. mem_free() just calls free(9), so a NULL pointer argument is fine and a length argument == 0 is ok, since the "len" argument is not used. This bug would have only affected nfs-over-tls and only when rpc.tlsservd(8) is running with the "-u" command line option. --- sys/rpc/rpcsec_tls/rpctls_impl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/rpc/rpcsec_tls/rpctls_impl.c b/sys/rpc/rpcsec_tls/rpctls_impl.c index 638f27eaf35..110ba107540 100644 --- a/sys/rpc/rpcsec_tls/rpctls_impl.c +++ b/sys/rpc/rpcsec_tls/rpctls_impl.c @@ -573,6 +573,7 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp, mtx_unlock(&rpctls_server_lock); /* Do the server upcall. */ + res.gid.gid_val = NULL; stat = rpctlssd_connect_1(NULL, &res, cl); if (stat == RPC_SUCCESS) { *flags = res.flags; @@ -598,6 +599,7 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp, soshutdown(so, SHUT_RD); } CLNT_RELEASE(cl); + mem_free(res.gid.gid_val, 0); /* Once the upcall is done, the daemon is done with the fp and so. */ mtx_lock(&rpctls_server_lock);