diff options
author | csjp <csjp@FreeBSD.org> | 2006-01-16 17:03:21 +0000 |
---|---|---|
committer | csjp <csjp@FreeBSD.org> | 2006-01-16 17:03:21 +0000 |
commit | be2af71ad1a9adff34663f1e3156a7d2f13bce18 (patch) | |
tree | 44baca38a41cd09d8880682daa0741db918f3ff5 /sys/netsmb | |
parent | 5ed013569426944a42840951d6e004c0722feea7 (diff) | |
download | FreeBSD-src-be2af71ad1a9adff34663f1e3156a7d2f13bce18.zip FreeBSD-src-be2af71ad1a9adff34663f1e3156a7d2f13bce18.tar.gz |
Although we check the return value of copyin(9) while determaining how
long the string is in userspace, afterwards we call malloc(M_WAITOK),
which could sleep for an unknown amount of time. Check the return
value of copyin(9) just to be sure that nothing has changed during that
time.
Found with: Coverity Prevent (tm)
MFC after: 1 week
Diffstat (limited to 'sys/netsmb')
-rw-r--r-- | sys/netsmb/smb_subr.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/netsmb/smb_subr.c b/sys/netsmb/smb_subr.c index b8dab57..6895b65 100644 --- a/sys/netsmb/smb_subr.c +++ b/sys/netsmb/smb_subr.c @@ -117,7 +117,7 @@ char * smb_strdupin(char *s, int maxlen) { char *p, bt; - int len = 0; + int error, len = 0; for (p = s; ;p++) { if (copyin(p, &bt, 1)) @@ -129,7 +129,11 @@ smb_strdupin(char *s, int maxlen) break; } p = malloc(len, M_SMBSTR, M_WAITOK); - copyin(s, p, len); + error = copyin(s, p, len); + if (error) { + free(p, M_SMBSTR); + return (NULL); + } return p; } |