9p: fix use after free

On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote:
     The Coverity checker spotted the following use-after-free
     in net/9p/mux.c:

     <--  snip  -->

     ...
     struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
                                         unsigned char *extended)
     {
     ...
             if (!m->tagpool) {
                     kfree(m);
                     return ERR_PTR(PTR_ERR(m->tagpool));
             }
     ...

     <--  snip  -->

Also spotted was a leak of the same structure further down in the function.

Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>

diff --git a/net/9p/mux.c b/net/9p/mux.c
index acb0388..5d70558 100644 (file)
--- a/net/9p/mux.c
+++ b/net/9p/mux.c
@@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
        m->extended = extended;
        m->trans = trans;
        m->tagpool = p9_idpool_create();
-       if (!m->tagpool) {
+       if (IS_ERR(m->tagpool)) {
+               mtmp = ERR_PTR(-ENOMEM);
                kfree(m);
-               return ERR_PTR(PTR_ERR(m->tagpool));
+               return mtmp;
        }
 
        m->err = 0;
@@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
        memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
        m->poll_task = NULL;
        n = p9_mux_poll_start(m);
-       if (n)
+       if (n) {
+               kfree(m);
                return ERR_PTR(n);
+       }
 
        n = trans->poll(trans, &m->pt);
        if (n & POLLIN) {