aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Van Hensbergen <ericvh@ericvh-desktop.austin.ibm.com>2007-07-26 15:04:54 -0400
committerEric Van Hensbergen <ericvh@ericvh-laptop.austin.ibm.com>2007-08-23 11:12:48 -0400
commit1a3cac6c6d1f56dc26939eb41be29844f897c15a (patch)
tree02922961c01db29922737f37796265103e96dc6b
parent8eb891fc809b2300137bcd247025628c06c95a63 (diff)
9p: fix use after free
On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote: The Coverity checker spotted the following use-after-free in net/9p/mux.c: <-- snip --> ... struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, unsigned char *extended) { ... if (!m->tagpool) { kfree(m); return ERR_PTR(PTR_ERR(m->tagpool)); } ... <-- snip --> Also spotted was a leak of the same structure further down in the function. Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
-rw-r--r--net/9p/mux.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/net/9p/mux.c b/net/9p/mux.c
index acb038810f39..5d70558c4c61 100644
--- a/net/9p/mux.c
+++ b/net/9p/mux.c
@@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
288 m->extended = extended; 288 m->extended = extended;
289 m->trans = trans; 289 m->trans = trans;
290 m->tagpool = p9_idpool_create(); 290 m->tagpool = p9_idpool_create();
291 if (!m->tagpool) { 291 if (IS_ERR(m->tagpool)) {
292 mtmp = ERR_PTR(-ENOMEM);
292 kfree(m); 293 kfree(m);
293 return ERR_PTR(PTR_ERR(m->tagpool)); 294 return mtmp;
294 } 295 }
295 296
296 m->err = 0; 297 m->err = 0;
@@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
308 memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); 309 memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
309 m->poll_task = NULL; 310 m->poll_task = NULL;
310 n = p9_mux_poll_start(m); 311 n = p9_mux_poll_start(m);
311 if (n) 312 if (n) {
313 kfree(m);
312 return ERR_PTR(n); 314 return ERR_PTR(n);
315 }
313 316
314 n = trans->poll(trans, &m->pt); 317 n = trans->poll(trans, &m->pt);
315 if (n & POLLIN) { 318 if (n & POLLIN) {