MFC: r299514

Fix use-after-free in NFS4 lock test service. Trivial use-after-free where stp was freed too soon in the non-error path. To fix, simply move its release to the end of the routine.
author: rmacklem <rmacklem@FreeBSD.org> 2016-05-26 21:32:16 +0000
committer: rmacklem <rmacklem@FreeBSD.org> 2016-05-26 21:32:16 +0000
commit: 4d757f765535fe45ddfcedbf0534d8559173870d (patch)
tree: 1bbe6c3f5ce9140278d0b415e1681d2d2e57cb04 /sys/fs/nfsserver/nfs_nfsdserv.c
parent: 6c58c5ba3a4a050d01fa1208b1c31cfac522710a (diff)
download: FreeBSD-src-4d757f765535fe45ddfcedbf0534d8559173870d.zip
FreeBSD-src-4d757f765535fe45ddfcedbf0534d8559173870d.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 0264182..4532ca4 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -2416,8 +2416,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram,
 	if (!nd->nd_repstat)
 	  nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
 	    &stateid, exp, nd, p);
-	if (stp)
-		FREE((caddr_t)stp, M_NFSDSTATE);
 	if (nd->nd_repstat) {
 	    if (nd->nd_repstat == NFSERR_DENIED) {
 		NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@@ -2439,6 +2437,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram,
 	    }
 	}
 	vput(vp);
+	if (stp)
+		FREE((caddr_t)stp, M_NFSDSTATE);
 	NFSEXITCODE2(0, nd);
 	return (0);
 nfsmout:
author	rmacklem <rmacklem@FreeBSD.org>	2016-05-26 21:32:16 +0000
committer	rmacklem <rmacklem@FreeBSD.org>	2016-05-26 21:32:16 +0000
commit	4d757f765535fe45ddfcedbf0534d8559173870d (patch)
tree	1bbe6c3f5ce9140278d0b415e1681d2d2e57cb04 /sys/fs/nfsserver/nfs_nfsdserv.c
parent	6c58c5ba3a4a050d01fa1208b1c31cfac522710a (diff)
download	FreeBSD-src-4d757f765535fe45ddfcedbf0534d8559173870d.zip FreeBSD-src-4d757f765535fe45ddfcedbf0534d8559173870d.tar.gz