diff options
| author | Kinglong Mee <kinglongmee@gmail.com> | 2014-07-07 22:10:56 +0800 | 
|---|---|---|
| committer | J. Bruce Fields <bfields@redhat.com> | 2014-07-23 10:31:56 -0400 | 
| commit | f98bac5a30b60a2fca854dd5ee7256221d8ccf0a (patch) | |
| tree | de5ccad7c101e5f307f7cd3686477675de40b81c /lib/average.c | |
| parent | c3a4561796cffae6996264876ffca147b5c3709a (diff) | |
NFSD: Fix crash encoding lock reply on 32-bit
Commit 8c7424cff6 "nfsd4: don't try to encode conflicting owner if low
on space" forgot to free conf->data in nfsd4_encode_lockt and before
sign conf->data to NULL in nfsd4_encode_lock_denied, causing a leak.
Worse, kfree() can be called on an uninitialized pointer in the case of
a succesful lock (or one that fails for a reason other than a conflict).
(Note that lock->lk_denied.ld_owner.data appears it should be zero here,
until you notice that it's one arm of a union the other arm of which is
written to in the succesful case by the
	memcpy(&lock->lk_resp_stateid, &lock_stp->st_stid.sc_stateid,
	                                sizeof(stateid_t));
in nfsd4_lock().  In the 32-bit case this overwrites ld_owner.data.)
Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
Fixes: 8c7424cff6 ""nfsd4: don't try to encode conflicting owner if low on space"
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'lib/average.c')
0 files changed, 0 insertions, 0 deletions
