| Message ID | 7087.1313450537@jrobl (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, 16 Aug 2011 08:22:17 +0900 "J. R. Okajima" <hooanon05@yahoo.co.jp> wrote: > > Hello, > > CIFS cleanup_volume_info_contents() looks like having a memory > corruption problem. > When UNCip is set to "&vol->UNC[2]" in cifs_parse_mount_options(), it > should not be kfree()-ed in cleanup_volume_info_contents(). > > If it is correct and the code in mainline is not fixed yet, then here is > a patch. > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index ccc1afa..e0ea721 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -2838,7 +2838,8 @@ cleanup_volume_info_contents(struct smb_vol *volume_info) > kfree(volume_info->username); > kzfree(volume_info->password); > kfree(volume_info->UNC); > - kfree(volume_info->UNCip); > + if (volume_info->UNCip != volume_info->UNC + 2) > + kfree(volume_info->UNCip); > kfree(volume_info->domainname); > kfree(volume_info->iocharset); > kfree(volume_info->prepath); > > Looks correct, nice catch. Reviewed-by: Jeff Layton <jlayton@redhat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, 16 Aug 2011 08:22:17 +0900 "J. R. Okajima" <hooanon05@yahoo.co.jp> wrote: > > Hello, > > CIFS cleanup_volume_info_contents() looks like having a memory > corruption problem. > When UNCip is set to "&vol->UNC[2]" in cifs_parse_mount_options(), it > should not be kfree()-ed in cleanup_volume_info_contents(). > > If it is correct and the code in mainline is not fixed yet, then here is > a patch. > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index ccc1afa..e0ea721 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -2838,7 +2838,8 @@ cleanup_volume_info_contents(struct smb_vol *volume_info) > kfree(volume_info->username); > kzfree(volume_info->password); > kfree(volume_info->UNC); > - kfree(volume_info->UNCip); > + if (volume_info->UNCip != volume_info->UNC + 2) > + kfree(volume_info->UNCip); > kfree(volume_info->domainname); > kfree(volume_info->iocharset); > kfree(volume_info->prepath); > > Also, this patch should obviously go to stable too.
merged On Mon, Aug 15, 2011 at 6:22 PM, J. R. Okajima <hooanon05@yahoo.co.jp> wrote: > > Hello, > > CIFS cleanup_volume_info_contents() looks like having a memory > corruption problem. > When UNCip is set to "&vol->UNC[2]" in cifs_parse_mount_options(), it > should not be kfree()-ed in cleanup_volume_info_contents(). > > If it is correct and the code in mainline is not fixed yet, then here is > a patch. > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index ccc1afa..e0ea721 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -2838,7 +2838,8 @@ cleanup_volume_info_contents(struct smb_vol *volume_info) > kfree(volume_info->username); > kzfree(volume_info->password); > kfree(volume_info->UNC); > - kfree(volume_info->UNCip); > + if (volume_info->UNCip != volume_info->UNC + 2) > + kfree(volume_info->UNCip); > kfree(volume_info->domainname); > kfree(volume_info->iocharset); > kfree(volume_info->prepath); > > > J. R. Okajima >
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index ccc1afa..e0ea721 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2838,7 +2838,8 @@ cleanup_volume_info_contents(struct smb_vol *volume_info) kfree(volume_info->username); kzfree(volume_info->password); kfree(volume_info->UNC); - kfree(volume_info->UNCip); + if (volume_info->UNCip != volume_info->UNC + 2) + kfree(volume_info->UNCip); kfree(volume_info->domainname); kfree(volume_info->iocharset); kfree(volume_info->prepath);