diff options
| author | kib <kib@FreeBSD.org> | 2015-02-06 09:02:10 +0000 |
|---|---|---|
| committer | kib <kib@FreeBSD.org> | 2015-02-06 09:02:10 +0000 |
| commit | d00b9ac996246997218e24586889f5e322208a3c (patch) | |
| tree | 1889bf5f102a2db1430e4a37998488d9f4d7dee1 | |
| parent | e0c8cbf143628871280d2a9161e582f135dd78c9 (diff) | |
| download | FreeBSD-src-d00b9ac996246997218e24586889f5e322208a3c.zip FreeBSD-src-d00b9ac996246997218e24586889f5e322208a3c.tar.gz | |
MFC r278145:
Fix use after free in pipe_dtor().
| -rw-r--r-- | sys/kern/sys_pipe.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 1e63dba..2d3e813 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -374,15 +374,16 @@ pipe_named_ctor(struct pipe **ppipe, struct thread *td) void pipe_dtor(struct pipe *dpipe) { + struct pipe *peer; ino_t ino; ino = dpipe->pipe_ino; + peer = (dpipe->pipe_state & PIPE_NAMED) != 0 ? dpipe->pipe_peer : NULL; funsetown(&dpipe->pipe_sigio); pipeclose(dpipe); - if (dpipe->pipe_state & PIPE_NAMED) { - dpipe = dpipe->pipe_peer; - funsetown(&dpipe->pipe_sigio); - pipeclose(dpipe); + if (peer != NULL) { + funsetown(&peer->pipe_sigio); + pipeclose(peer); } if (ino != 0 && ino != (ino_t)-1) free_unr(pipeino_unr, ino); |
