| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jul 2007 13:43:16 -0500
From: "Eric Van Hensbergen" <ericvh@...il.com>
To: "Adrian Bunk" <bunk@...sta.de>
Cc: "Latchesar Ionkov" <lucho@...kov.net>,
v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: net/9p/mux.c: use-after-free
On 7/22/07, Adrian Bunk <bunk@...sta.de> wrote:
> The Coverity checker spotted the following use-after-free
> in net/9p/mux.c:
>
> <-- snip -->
>
> ...
> struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
> unsigned char *extended)
> {
> ...
> if (!m->tagpool) {
> kfree(m);
> return ERR_PTR(PTR_ERR(m->tagpool));
> }
> ...
>
> <-- snip -->
>
I've got a fix for this one:
if (!m->tagpool) {
mtmp = ERR_PTR(PTR_ERR(m->tagpool));
kfree(m);
return mtmp;
}
but I was wondering about one of the other returns further down the function:
...
memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
m->poll_task = NULL;
n = p9_mux_poll_start(m);
if (n)
return ERR_PTR(n);
n = trans->poll(trans, &m->pt);
...
lucho: doesn't that constitute a leak? Shouldn't we be doing:
if (n) {
kfree(m);
return ERR_PTR(n);
}
-eric
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists