diff options
| author | davide <davide@FreeBSD.org> | 2013-07-03 10:31:45 +0000 |
|---|---|---|
| committer | davide <davide@FreeBSD.org> | 2013-07-03 10:31:45 +0000 |
| commit | 6321e048941778d77adaf27bec7211cdac65f84d (patch) | |
| tree | f6509765dd1bb682e13e6f53a05ed147c951a956 /sys/fs/smbfs/smbfs_smb.c | |
| parent | 175de3296169e6480f853e2e9c8dc7686b28415c (diff) | |
| download | FreeBSD-src-6321e048941778d77adaf27bec7211cdac65f84d.zip FreeBSD-src-6321e048941778d77adaf27bec7211cdac65f84d.tar.gz | |
- Fix double frees/user after free.
- Allocate using smb_rq_alloc() instead of inlining it.
Reported by: uqs
Found with: Coverity Scan
Diffstat (limited to 'sys/fs/smbfs/smbfs_smb.c')
| -rw-r--r-- | sys/fs/smbfs/smbfs_smb.c | 169 |
1 files changed, 56 insertions, 113 deletions
diff --git a/sys/fs/smbfs/smbfs_smb.c b/sys/fs/smbfs/smbfs_smb.c index ec4a49d..0e10e5e 100644 --- a/sys/fs/smbfs/smbfs_smb.c +++ b/sys/fs/smbfs/smbfs_smb.c @@ -94,12 +94,10 @@ smbfs_smb_lockandx(struct smbnode *np, int op, u_int32_t pid, off_t start, off_t if (op == SMB_LOCK_SHARED) ltype |= SMB_LOCKING_ANDX_SHARED_LOCK; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint8(mbp, 0xff); /* secondary command */ @@ -119,7 +117,6 @@ smbfs_smb_lockandx(struct smbnode *np, int op, u_int32_t pid, off_t start, off_t smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -188,19 +185,16 @@ smbfs_smb_statfs(struct smb_share *ssp, struct statfs *sbp, u_int16_t units, bpu, bsize, funits; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK, + scred, &rqp); + if (error) + return (error); smb_rq_wstart(rqp); smb_rq_wend(rqp); smb_rq_bstart(rqp); smb_rq_bend(rqp); error = smb_rq_simple(rqp); if (error) { - free(rqp, M_SMBFSDATA); smb_rq_done(rqp); return error; } @@ -216,7 +210,6 @@ smbfs_smb_statfs(struct smb_share *ssp, struct statfs *sbp, sbp->f_files = 0xffff; /* total file nodes in filesystem */ sbp->f_ffree = 0xffff; /* free file nodes in fs */ smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return 0; } @@ -260,12 +253,9 @@ smb_smb_flush(struct smbnode *np, struct smb_cred *scred) if ((np->n_flag & NOPEN) == 0 || !SMBTOV(np) || SMBTOV(np)->v_type != VREG) return 0; /* not a regular open file */ - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_FLUSH, scred); - if (error) { - free(rqp, M_SMBFSDATA); + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_FLUSH, scred, &rqp); + if (error) return (error); - } smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM); @@ -274,7 +264,6 @@ smb_smb_flush(struct smbnode *np, struct smb_cred *scred) smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); if (!error) np->n_flag &= ~NFLUSHWIRE; return (error); @@ -301,12 +290,9 @@ smbfs_smb_setfsize(struct smbnode *np, int newsize, struct smb_cred *scred) return (0); } - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_WRITE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_WRITE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM); @@ -320,7 +306,6 @@ smbfs_smb_setfsize(struct smbnode *np, int newsize, struct smb_cred *scred) smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -337,12 +322,10 @@ smbfs_smb_query_info(struct smbnode *np, const char *name, int len, u_int16_t wattr; u_int32_t lint; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred, + &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); smb_rq_wend(rqp); @@ -377,7 +360,6 @@ smbfs_smb_query_info(struct smbnode *np, const char *name, int len, fap->fa_size = lint; } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -394,12 +376,10 @@ smbfs_smb_setpattr(struct smbnode *np, u_int16_t attr, struct timespec *mtime, u_long time; int error, svtz; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred, + &rqp); + if (error) + return (error); svtz = SSTOVC(ssp)->vc_sopt.sv_tz; smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); @@ -431,7 +411,6 @@ smbfs_smb_setpattr(struct smbnode *np, u_int16_t attr, struct timespec *mtime, } } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -554,12 +533,10 @@ smbfs_smb_setftime(struct smbnode *np, struct timespec *mtime, u_int16_t date, time; int error, tzoff; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred, + &rqp); + if (error) + return (error); tzoff = SSTOVC(ssp)->vc_sopt.sv_tz; smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); @@ -584,7 +561,6 @@ smbfs_smb_setftime(struct smbnode *np, struct timespec *mtime, error = smb_rq_simple(rqp); SMBSDEBUG("%d\n", error); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -648,12 +624,9 @@ smbfs_smb_open(struct smbnode *np, int accmode, struct smb_cred *scred) u_int16_t fid, wattr, grantedmode; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_OPEN, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_OPEN, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, accmode); @@ -684,7 +657,6 @@ smbfs_smb_open(struct smbnode *np, int accmode, struct smb_cred *scred) */ } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); if (error) return error; np->n_fid = fid; @@ -702,12 +674,9 @@ smbfs_smb_close(struct smb_share *ssp, u_int16_t fid, struct timespec *mtime, u_long time; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CLOSE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CLOSE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&fid, sizeof(fid), MB_MSYSTEM); @@ -721,7 +690,6 @@ smbfs_smb_close(struct smb_share *ssp, u_int16_t fid, struct timespec *mtime, smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -739,12 +707,9 @@ smbfs_smb_create(struct smbnode *dnp, const char *name, int nmlen, u_long tm; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_FA_ARCHIVE); /* attributes */ @@ -771,7 +736,6 @@ smbfs_smb_create(struct smbnode *dnp, const char *name, int nmlen, if (error) return error; smbfs_smb_close(ssp, fid, &ctime, scred); - free(rqp, M_SMBFSDATA); return error; } @@ -783,12 +747,9 @@ smbfs_smb_delete(struct smbnode *np, struct smb_cred *scred) struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN); @@ -801,7 +762,6 @@ smbfs_smb_delete(struct smbnode *np, struct smb_cred *scred) error = smb_rq_simple(rqp); } smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -814,12 +774,9 @@ smbfs_smb_rename(struct smbnode *src, struct smbnode *tdnp, struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_RENAME, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_RENAME, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN); @@ -838,7 +795,6 @@ smbfs_smb_rename(struct smbnode *src, struct smbnode *tdnp, error = smb_rq_simple(rqp); } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -851,12 +807,9 @@ smbfs_smb_move(struct smbnode *src, struct smbnode *tdnp, struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_MOVE, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_MOVE, scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_uint16le(mbp, SMB_TID_UNKNOWN); @@ -877,7 +830,6 @@ smbfs_smb_move(struct smbnode *src, struct smbnode *tdnp, error = smb_rq_simple(rqp); } while(0); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -890,12 +842,10 @@ smbfs_smb_mkdir(struct smbnode *dnp, const char *name, int len, struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred, + &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); smb_rq_wend(rqp); @@ -907,7 +857,6 @@ smbfs_smb_mkdir(struct smbnode *dnp, const char *name, int len, error = smb_rq_simple(rqp); } smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -919,12 +868,10 @@ smbfs_smb_rmdir(struct smbnode *np, struct smb_cred *scred) struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred, + &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); smb_rq_wend(rqp); @@ -936,7 +883,6 @@ smbfs_smb_rmdir(struct smbnode *np, struct smb_cred *scred) error = smb_rq_simple(rqp); } smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } @@ -958,7 +904,7 @@ smbfs_smb_search(struct smbfs_fctx *ctx) } error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_SEARCH, ctx->f_scred, &rqp); if (error) - return error; + return (error); ctx->f_rq = rqp; smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); @@ -1204,12 +1150,10 @@ smbfs_smb_findclose2(struct smbfs_fctx *ctx) struct mbchain *mbp; int error; - rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK); - error = smb_rq_init(rqp, SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2, ctx->f_scred); - if (error) { - free(rqp, M_SMBFSDATA); - return error; - } + error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2, + ctx->f_scred, &rqp); + if (error) + return (error); smb_rq_getrequest(rqp, &mbp); smb_rq_wstart(rqp); mb_put_mem(mbp, (caddr_t)&ctx->f_Sid, 2, MB_MSYSTEM); @@ -1218,7 +1162,6 @@ smbfs_smb_findclose2(struct smbfs_fctx *ctx) smb_rq_bend(rqp); error = smb_rq_simple(rqp); smb_rq_done(rqp); - free(rqp, M_SMBFSDATA); return error; } |
