From patchwork Sun Jan 18 12:29:02 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Junxiao Bi X-Patchwork-Id: 5653361 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id AF7319F358 for ; Sun, 18 Jan 2015 12:30:39 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E645C20389 for ; Sun, 18 Jan 2015 12:30:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D2B1920357 for ; Sun, 18 Jan 2015 12:30:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751935AbbARMag (ORCPT ); Sun, 18 Jan 2015 07:30:36 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:41047 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751374AbbARMag (ORCPT ); Sun, 18 Jan 2015 07:30:36 -0500 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t0ICUSkL022474 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 18 Jan 2015 12:30:29 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t0ICURs4028304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 18 Jan 2015 12:30:27 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t0ICURRo028299; Sun, 18 Jan 2015 12:30:27 GMT Received: from bijx-OptiPlex-780.cn.oracle.com (/10.182.39.153) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 18 Jan 2015 04:30:26 -0800 From: Junxiao Bi To: linux-nfs@vger.kernel.org Cc: bfields@fieldses.org Subject: [PATCH] nfsd: fix memory corruption due to uninitialized variable Date: Sun, 18 Jan 2015 20:29:02 +0800 Message-Id: <1421584142-12505-1-git-send-email-junxiao.bi@oracle.com> X-Mailer: git-send-email 1.7.9.5 X-Source-IP: acsinet21.oracle.com [141.146.126.237] Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP nfsd4_decode_open() doesn't initialize variable open->op_file and open->op_stp, they are initialized in nfsd4_process_open1(), but if any error happens before initializing them, nfsd4_open() will call into nfsd4_cleanup_open_state() and corrupt the memory. Since nfsd4_process_open1() will initialize these two variables and open->op_openowner, make them default to null at the beginning. Signed-off-by: Junxiao Bi --- fs/nfsd/nfs4state.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index c06a1ba..6e74a91 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -3547,6 +3547,10 @@ nfsd4_process_open1(struct nfsd4_compound_state *cstate, struct nfs4_openowner *oo = NULL; __be32 status; + open->op_file = NULL; + open->op_openowner = NULL; + open->op_stp = NULL; + if (STALE_CLIENTID(&open->op_clientid, nn)) return nfserr_stale_clientid; /*