9p: fix use after free

On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote: The Coverity checker spotted the following use-after-free in net/9p/mux.c: <-- snip --> ... struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, unsigned char *extended) { ... if (!m->tagpool) { kfree(m); return ERR_PTR(PTR_ERR(m->tagpool)); } ... <-- snip --> Also spotted was a leak of the same structure further down in the function. Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
2024-12-02 00:24:12 +08:00 · 2007-07-26 14:04:54 -05:00 · 2007-07-26 14:04:54 -05:00 · 1a3cac6c6d
commit 1a3cac6c6d
parent 8eb891fc80
1 changed files with 6 additions and 3 deletions
--- a/net/9p/mux.c
+++ b/net/9p/mux.c
@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
 	m->extended = extended;
 	m->trans = trans;
 	m->tagpool = p9_idpool_create();
-	if (!m->tagpool) {
+	if (IS_ERR(m->tagpool)) {
+		mtmp = ERR_PTR(-ENOMEM);
 		kfree(m);
-		return ERR_PTR(PTR_ERR(m->tagpool));
+		return mtmp;
 	}

 	m->err = 0;
@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
 	memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
 	m->poll_task = NULL;
 	n = p9_mux_poll_start(m);
-	if (n)
+	if (n) {
+		kfree(m);
 		return ERR_PTR(n);
+	}

 	n = trans->poll(trans, &m->pt);
 	if (n & POLLIN) {