diff options
author | Eric Van Hensbergen <ericvh@ericvh-desktop.austin.ibm.com> | 2007-07-26 15:04:54 -0400 |
---|---|---|
committer | Eric Van Hensbergen <ericvh@ericvh-laptop.austin.ibm.com> | 2007-08-23 11:12:48 -0400 |
commit | 1a3cac6c6d1f56dc26939eb41be29844f897c15a (patch) | |
tree | 02922961c01db29922737f37796265103e96dc6b /net/9p | |
parent | 8eb891fc809b2300137bcd247025628c06c95a63 (diff) |
9p: fix use after free
On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote:
The Coverity checker spotted the following use-after-free
in net/9p/mux.c:
<-- snip -->
...
struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
unsigned char *extended)
{
...
if (!m->tagpool) {
kfree(m);
return ERR_PTR(PTR_ERR(m->tagpool));
}
...
<-- snip -->
Also spotted was a leak of the same structure further down in the function.
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Diffstat (limited to 'net/9p')
-rw-r--r-- | net/9p/mux.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/9p/mux.c b/net/9p/mux.c index acb038810f39..5d70558c4c61 100644 --- a/net/9p/mux.c +++ b/net/9p/mux.c | |||
@@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, | |||
288 | m->extended = extended; | 288 | m->extended = extended; |
289 | m->trans = trans; | 289 | m->trans = trans; |
290 | m->tagpool = p9_idpool_create(); | 290 | m->tagpool = p9_idpool_create(); |
291 | if (!m->tagpool) { | 291 | if (IS_ERR(m->tagpool)) { |
292 | mtmp = ERR_PTR(-ENOMEM); | ||
292 | kfree(m); | 293 | kfree(m); |
293 | return ERR_PTR(PTR_ERR(m->tagpool)); | 294 | return mtmp; |
294 | } | 295 | } |
295 | 296 | ||
296 | m->err = 0; | 297 | m->err = 0; |
@@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, | |||
308 | memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); | 309 | memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); |
309 | m->poll_task = NULL; | 310 | m->poll_task = NULL; |
310 | n = p9_mux_poll_start(m); | 311 | n = p9_mux_poll_start(m); |
311 | if (n) | 312 | if (n) { |
313 | kfree(m); | ||
312 | return ERR_PTR(n); | 314 | return ERR_PTR(n); |
315 | } | ||
313 | 316 | ||
314 | n = trans->poll(trans, &m->pt); | 317 | n = trans->poll(trans, &m->pt); |
315 | if (n & POLLIN) { | 318 | if (n & POLLIN) { |