projects / freebsd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1dbbdb8) | patch
Clear the cookie pointer on error in tmpfs_readdir().
authormarkj <markj@FreeBSD.org>
Fri, 12 Feb 2016 20:43:53 +0000 (20:43 +0000)
committermarkj <markj@FreeBSD.org>
Fri, 12 Feb 2016 20:43:53 +0000 (20:43 +0000)
commitc39d0036aec3c0e07779d2b299622d9ca6236655
tree1ee86a85785a6c517a0c97af430dd6915da9901ctree | snapshot
parent1dbbdb820af887972a0c03e197d18b97bbaba3bbcommit | diff
Clear the cookie pointer on error in tmpfs_readdir().

It is otherwise left dangling, and callers that request cookies always free
the cookie buffer, even when VOP_READDIR(9) returns an error. This results
in a double free if tmpfs_readdir() returns an error to the NFS server or
the Linux getdents(2) emulation code.

Reported by: pho
MFC after: 1 week
Security: double free of malloc(9)-backed memory
Sponsored by: EMC / Isilon Storage Division
sys/fs/tmpfs/tmpfs_vnops.c diff | blob | blame | history
FreeBSD Project Source