diff options
| author | kib <kib@FreeBSD.org> | 2011-03-25 10:57:57 +0000 |
|---|---|---|
| committer | kib <kib@FreeBSD.org> | 2011-03-25 10:57:57 +0000 |
| commit | 1d38d5630c1cec253fbe382619dfd33928c404c6 (patch) | |
| tree | 181435a92fa65322c4dff4efe2221984fd2d6495 /sys/compat | |
| parent | 3fa8d0321a9d9e001f4a5c413f05da62d916a6c6 (diff) | |
| download | FreeBSD-src-1d38d5630c1cec253fbe382619dfd33928c404c6.zip FreeBSD-src-1d38d5630c1cec253fbe382619dfd33928c404c6.tar.gz | |
Fix file leakage in the freebsd32_ioctl routines.
Code inspection shows freebsd32_ioctl calls fget for a fd and calls
a subroutine to handle each specific ioctl. It is expected that the
subroutine will call fdrop when done. However many of the subroutines
will exit out early if copyin encounters an error resulting in fdrop
never being called.
Submitted by: John Wehle <john feith com>
MFC after: 3 days
Diffstat (limited to 'sys/compat')
| -rw-r--r-- | sys/compat/freebsd32/freebsd32_ioctl.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/sys/compat/freebsd32/freebsd32_ioctl.c b/sys/compat/freebsd32/freebsd32_ioctl.c index 122bb4d..04debd8 100644 --- a/sys/compat/freebsd32/freebsd32_ioctl.c +++ b/sys/compat/freebsd32/freebsd32_ioctl.c @@ -70,7 +70,6 @@ freebsd32_ioctl_md(struct thread *td, struct freebsd32_ioctl_args *uap, panic("%s: where is my ioctl data??", __func__); if (uap->com & IOC_IN) { if ((error = copyin(uap->data, &md32, sizeof(md32)))) { - fdrop(fp, td); return (error); } CP(md32, mdv, md_version); @@ -121,7 +120,6 @@ freebsd32_ioctl_md(struct thread *td, struct freebsd32_ioctl_args *uap, CP(mdv, md32, md_fwsectors); error = copyout(&md32, uap->data, sizeof(md32)); } - fdrop(fp, td); return error; } @@ -144,7 +142,6 @@ freebsd32_ioctl_ioc_toc_header(struct thread *td, CP(toch32, toch, ending_track); error = fo_ioctl(fp, CDIOREADTOCHEADER, (caddr_t)&toch, td->td_ucred, td); - fdrop(fp, td); return (error); } @@ -175,7 +172,6 @@ freebsd32_ioctl_ioc_read_toc(struct thread *td, PTROUT_CP(toce, toce32, data); error = copyout(&toce32, uap->data, sizeof(toce32)); } - fdrop(fp, td); return error; } @@ -192,7 +188,6 @@ freebsd32_ioctl_fiodgname(struct thread *td, CP(fgn32, fgn, len); PTRIN_CP(fgn32, fgn, buf); error = fo_ioctl(fp, FIODGNAME, (caddr_t)&fgn, td->td_ucred, td); - fdrop(fp, td); return (error); } @@ -219,16 +214,20 @@ freebsd32_ioctl(struct thread *td, struct freebsd32_ioctl_args *uap) case MDIOCDETACH_32: /* FALLTHROUGH */ case MDIOCQUERY_32: /* FALLTHROUGH */ case MDIOCLIST_32: - return freebsd32_ioctl_md(td, uap, fp); + error = freebsd32_ioctl_md(td, uap, fp); + break; case CDIOREADTOCENTRYS_32: - return freebsd32_ioctl_ioc_read_toc(td, uap, fp); + error = freebsd32_ioctl_ioc_read_toc(td, uap, fp); + break; case CDIOREADTOCHEADER_32: - return freebsd32_ioctl_ioc_toc_header(td, uap, fp); + error = freebsd32_ioctl_ioc_toc_header(td, uap, fp); + break; case FIODGNAME_32: - return freebsd32_ioctl_fiodgname(td, uap, fp); + error = freebsd32_ioctl_fiodgname(td, uap, fp); + break; default: fdrop(fp, td); @@ -237,4 +236,7 @@ freebsd32_ioctl(struct thread *td, struct freebsd32_ioctl_args *uap) PTRIN_CP(*uap, ap, data); return ioctl(td, &ap); } + + fdrop(fp, td); + return error; } |
