From 1a3cac6c6d1f56dc26939eb41be29844f897c15a Mon Sep 17 00:00:00 2001 From: Eric Van Hensbergen Date: Thu, 26 Jul 2007 14:04:54 -0500 Subject: 9p: fix use after free On 7/22/07, Adrian Bunk wrote: The Coverity checker spotted the following use-after-free in net/9p/mux.c: <-- snip --> ... struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, unsigned char *extended) { ... if (!m->tagpool) { kfree(m); return ERR_PTR(PTR_ERR(m->tagpool)); } ... <-- snip --> Also spotted was a leak of the same structure further down in the function. Signed-off-by: Eric Van Hensbergen --- net/9p/mux.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/9p/mux.c b/net/9p/mux.c index acb038810f39..5d70558c4c61 100644 --- a/net/9p/mux.c +++ b/net/9p/mux.c @@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, m->extended = extended; m->trans = trans; m->tagpool = p9_idpool_create(); - if (!m->tagpool) { + if (IS_ERR(m->tagpool)) { + mtmp = ERR_PTR(-ENOMEM); kfree(m); - return ERR_PTR(PTR_ERR(m->tagpool)); + return mtmp; } m->err = 0; @@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); m->poll_task = NULL; n = p9_mux_poll_start(m); - if (n) + if (n) { + kfree(m); return ERR_PTR(n); + } n = trans->poll(trans, &m->pt); if (n & POLLIN) { -- cgit v1.2.3 From 02881d94780faa86e32952e46381f7cd4c78d5ac Mon Sep 17 00:00:00 2001 From: Mariusz Kozlowski Date: Thu, 23 Aug 2007 10:24:28 -0500 Subject: 9p: fix bad error path in conversion routines When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err)) and it will not be happy about it. Signed-off-by: Mariusz Kozlowski Signed-off-by: Eric Van Hensbergen --- net/9p/conv.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/9p/conv.c b/net/9p/conv.c index f2a041cb508a..d979d958ea19 100644 --- a/net/9p/conv.c +++ b/net/9p/conv.c @@ -796,6 +796,7 @@ struct p9_fcall *p9_create_twrite_u(u32 fid, u64 offset, u32 count, if (err) { kfree(fc); fc = ERR_PTR(err); + goto error; } if (buf_check_overflow(bufp)) { -- cgit v1.2.3