diff options
author | kib <kib@FreeBSD.org> | 2011-12-01 11:36:41 +0000 |
---|---|---|
committer | kib <kib@FreeBSD.org> | 2011-12-01 11:36:41 +0000 |
commit | 132ad7aa9b624e01c572592aeb815bac0f8a5940 (patch) | |
tree | 1c3c82f0514234b775b1708b1983e80b04aebcd3 /sys/kern/sys_pipe.c | |
parent | 4dbebd9e51232cf237c712f624cf1cc76206213a (diff) | |
download | FreeBSD-src-132ad7aa9b624e01c572592aeb815bac0f8a5940.zip FreeBSD-src-132ad7aa9b624e01c572592aeb815bac0f8a5940.tar.gz |
If alloc_unr() call in the pipe_create() failed, then pipe->pipe_ino is
-1. But, because ino_t is unsigned, this case was not covered by the
test ino > 0 in pipeclose(), leading to the free_unr(-1). Fix it by
explicitely comparing with 0 and -1. [1]
Do no access freed memory, the inode number was cached to prevent access
to cpipe after it possibly was freed, but I failed to commit the right
patch.
Noted by: gianni [1]
Pointy hat to: kib
MFC after: 3 days
Diffstat (limited to 'sys/kern/sys_pipe.c')
-rw-r--r-- | sys/kern/sys_pipe.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 13e056f..2b6eb66 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -1554,8 +1554,8 @@ pipeclose(cpipe) } else PIPE_UNLOCK(cpipe); - if (ino > 0) - free_unr(pipeino_unr, cpipe->pipe_ino); + if (ino != 0 && ino != (ino_t)-1) + free_unr(pipeino_unr, ino); } /*ARGSUSED*/ |