| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jul 2007 13:13:34 -0600
From: "Latchesar Ionkov" <lucho@...kov.net>
To: "Eric Van Hensbergen" <ericvh@...il.com>
Cc: "Adrian Bunk" <bunk@...sta.de>,
v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: net/9p/mux.c: use-after-free
Yep, it's a leak.
Thanks,
Lucho
On 7/25/07, Eric Van Hensbergen <ericvh@...il.com> wrote:
> On 7/22/07, Adrian Bunk <bunk@...sta.de> wrote:
> > The Coverity checker spotted the following use-after-free
> > in net/9p/mux.c:
> >
> > <-- snip -->
> >
> > ...
> > struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
> > unsigned char *extended)
> > {
> > ...
> > if (!m->tagpool) {
> > kfree(m);
> > return ERR_PTR(PTR_ERR(m->tagpool));
> > }
> > ...
> >
> > <-- snip -->
> >
>
> I've got a fix for this one:
> if (!m->tagpool) {
> mtmp = ERR_PTR(PTR_ERR(m->tagpool));
> kfree(m);
> return mtmp;
> }
>
> but I was wondering about one of the other returns further down the function:
>
> ...
> memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
> m->poll_task = NULL;
> n = p9_mux_poll_start(m);
> if (n)
> return ERR_PTR(n);
>
> n = trans->poll(trans, &m->pt);
> ...
>
> lucho: doesn't that constitute a leak? Shouldn't we be doing:
>
> if (n) {
> kfree(m);
> return ERR_PTR(n);
> }
>
> -eric
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists