From patchwork Thu Apr 18 18:48:18 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Dickson <SteveD@redhat.com>
X-Patchwork-Id: 2462171
Return-Path: <linux-nfs-owner@vger.kernel.org>
X-Original-To: patchwork-linux-nfs@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id C9F00DF2E5
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu, 18 Apr 2013 18:48:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S967083Ab3DRSsa (ORCPT
	<rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
	Thu, 18 Apr 2013 14:48:30 -0400
Received: from mx1.redhat.com ([209.132.183.28]:31509 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753922Ab3DRSs2 (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
	Thu, 18 Apr 2013 14:48:28 -0400
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
	(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r3IImLR0023714
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Thu, 18 Apr 2013 14:48:22 -0400
Received: from bighat.boston.devel.redhat.com ([10.16.60.55])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id r3IImLGS016083; Thu, 18 Apr 2013 14:48:21 -0400
From: Steve Dickson <steved@redhat.com>
To: Libtirpc-devel Mailing List <libtirpc-devel@lists.sourceforge.net>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: [PATCH] svc_getargs(): Should not be freeing arg pointers on
	failures
Date: Thu, 18 Apr 2013 14:48:18 -0400
Message-Id: <1366310898-9206-1-git-send-email-steved@redhat.com>
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
that causes callers of svc_getargs() to crash when svc_freeargs() frees
args points that are allocated on the stack.

svc_getargs() should let the callers do the freeing and not make any
assumptions on the type of memory passed in.

Also see:
    https://bugzilla.redhat.com/show_bug.cgi?id=948378
and
    CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 src/svc_dg.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/svc_dg.c b/src/svc_dg.c
index b1ac462..6e00191 100644
--- a/src/svc_dg.c
+++ b/src/svc_dg.c
@@ -284,7 +284,6 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
 {
 	if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
 			     xdr_args, args_ptr)) {
-		(void)svc_freeargs(xprt, xdr_args, args_ptr);
 		return FALSE;
 	}
 	return TRUE;