lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Jul 2007 13:13:34 -0600 From: "Latchesar Ionkov" <lucho@...kov.net> To: "Eric Van Hensbergen" <ericvh@...il.com> Cc: "Adrian Bunk" <bunk@...sta.de>, v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: net/9p/mux.c: use-after-free Yep, it's a leak. Thanks, Lucho On 7/25/07, Eric Van Hensbergen <ericvh@...il.com> wrote: > On 7/22/07, Adrian Bunk <bunk@...sta.de> wrote: > > The Coverity checker spotted the following use-after-free > > in net/9p/mux.c: > > > > <-- snip --> > > > > ... > > struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, > > unsigned char *extended) > > { > > ... > > if (!m->tagpool) { > > kfree(m); > > return ERR_PTR(PTR_ERR(m->tagpool)); > > } > > ... > > > > <-- snip --> > > > > I've got a fix for this one: > if (!m->tagpool) { > mtmp = ERR_PTR(PTR_ERR(m->tagpool)); > kfree(m); > return mtmp; > } > > but I was wondering about one of the other returns further down the function: > > ... > memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); > m->poll_task = NULL; > n = p9_mux_poll_start(m); > if (n) > return ERR_PTR(n); > > n = trans->poll(trans, &m->pt); > ... > > lucho: doesn't that constitute a leak? Shouldn't we be doing: > > if (n) { > kfree(m); > return ERR_PTR(n); > } > > -eric > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists