BUG: possible NULL pointer dereference in nfs server
Roman Divacky
rdivacky at freebsd.org
Fri Jan 24 18:41:49 UTC 2014
Hi,
In nfs_nfsdstate.c:nfsrv_lockctrl() we call
getlckret = nfsrv_getlockfh(vp, new_stp->ls_flags, NULL, &nfh, p);
then in nfsrv_getlockfh() we, based on the value of flags, might
dereference the NULL pointer:
nfsrv_getlockfh(vnode_t vp, u_short flags,
struct nfslockfile **new_lfpp, fhandle_t *nfhp, NFSPROC_T *p)
if (flags & NFSLCK_OPEN) {
new_lfp = *new_lfpp;
fhp = &new_lfp->lf_fh;
I am not sure what the right fix is. Or if it's even possible to hit
(but I think it is). Anyway the compiler currently generates
a trap instruction (ud2 on x86) in this code. It's the only trap
in GENERIC btw.
Would be lovely to fix this.
Roman
P.S. CC me on your replies as I am not subscribed to the list.
More information about the freebsd-fs
mailing list