The tmpfs_link() must not dereference the filesystem-specific data for

a vnode until it is verified that the vnode indeed belongs to tmpfs mount. Otherwise, it might access random memory, at least in the debug kernel. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 2 weeks
author: kib <kib@FreeBSD.org> 2014-07-14 08:45:29 +0000
committer: kib <kib@FreeBSD.org> 2014-07-14 08:45:29 +0000
commit: 8542c8b735cda87e94daa65cef2491ac0e1bfb92 (patch)
tree: 1979e37130c6f7331327ecfeb624044fe1d688ff /sys/fs
parent: 7b68dd9333bbe51742432cfbc75b4d8de751d433 (diff)
download: FreeBSD-src-8542c8b735cda87e94daa65cef2491ac0e1bfb92.zip
FreeBSD-src-8542c8b735cda87e94daa65cef2491ac0e1bfb92.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c
index ea27fca..3586a28 100644
--- a/sys/fs/tmpfs/tmpfs_vnops.c
+++ b/sys/fs/tmpfs/tmpfs_vnops.c
@@ -570,8 +570,6 @@ tmpfs_link(struct vop_link_args *v)
 	MPASS(cnp->cn_flags & HASBUF);
 	MPASS(dvp != vp); /* XXX When can this be false? */
 
-	node = VP_TO_TMPFS_NODE(vp);
-
 	/* XXX: Why aren't the following two tests done by the caller? */
 
 	/* Hard links of directories are forbidden. */
@@ -586,6 +584,8 @@ tmpfs_link(struct vop_link_args *v)
 		goto out;
 	}
 
+	node = VP_TO_TMPFS_NODE(vp);
+
 	/* Ensure that we do not overflow the maximum number of links imposed
 	 * by the system. */
 	MPASS(node->tn_links <= LINK_MAX);
author	kib <kib@FreeBSD.org>	2014-07-14 08:45:29 +0000
committer	kib <kib@FreeBSD.org>	2014-07-14 08:45:29 +0000
commit	8542c8b735cda87e94daa65cef2491ac0e1bfb92 (patch)
tree	1979e37130c6f7331327ecfeb624044fe1d688ff /sys/fs
parent	7b68dd9333bbe51742432cfbc75b4d8de751d433 (diff)
download	FreeBSD-src-8542c8b735cda87e94daa65cef2491ac0e1bfb92.zip FreeBSD-src-8542c8b735cda87e94daa65cef2491ac0e1bfb92.tar.gz