svn commit: r252558 - head/sys/fs/smbfs
Davide Italiano
davide at FreeBSD.org
Wed Jul 3 10:31:46 UTC 2013
Author: davide
Date: Wed Jul 3 10:31:45 2013
New Revision: 252558
URL: http://svnweb.freebsd.org/changeset/base/252558
Log:
- Fix double frees/user after free.
- Allocate using smb_rq_alloc() instead of inlining it.
Reported by: uqs
Found with: Coverity Scan
Modified:
head/sys/fs/smbfs/smbfs_smb.c
Modified: head/sys/fs/smbfs/smbfs_smb.c
==============================================================================
--- head/sys/fs/smbfs/smbfs_smb.c Wed Jul 3 09:50:59 2013 (r252557)
+++ head/sys/fs/smbfs/smbfs_smb.c Wed Jul 3 10:31:45 2013 (r252558)
@@ -94,12 +94,10 @@ smbfs_smb_lockandx(struct smbnode *np, i
if (op == SMB_LOCK_SHARED)
ltype |= SMB_LOCKING_ANDX_SHARED_LOCK;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint8(mbp, 0xff); /* secondary command */
@@ -119,7 +117,6 @@ smbfs_smb_lockandx(struct smbnode *np, i
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -188,19 +185,16 @@ smbfs_smb_statfs(struct smb_share *ssp,
u_int16_t units, bpu, bsize, funits;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK,
+ scred, &rqp);
+ if (error)
+ return (error);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
smb_rq_bstart(rqp);
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
if (error) {
- free(rqp, M_SMBFSDATA);
smb_rq_done(rqp);
return error;
}
@@ -216,7 +210,6 @@ smbfs_smb_statfs(struct smb_share *ssp,
sbp->f_files = 0xffff; /* total file nodes in filesystem */
sbp->f_ffree = 0xffff; /* free file nodes in fs */
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return 0;
}
@@ -260,12 +253,9 @@ smb_smb_flush(struct smbnode *np, struct
if ((np->n_flag & NOPEN) == 0 || !SMBTOV(np) ||
SMBTOV(np)->v_type != VREG)
return 0; /* not a regular open file */
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_FLUSH, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_FLUSH, scred, &rqp);
+ if (error)
return (error);
- }
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM);
@@ -274,7 +264,6 @@ smb_smb_flush(struct smbnode *np, struct
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
if (!error)
np->n_flag &= ~NFLUSHWIRE;
return (error);
@@ -301,12 +290,9 @@ smbfs_smb_setfsize(struct smbnode *np, i
return (0);
}
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_WRITE, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_WRITE, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM);
@@ -320,7 +306,6 @@ smbfs_smb_setfsize(struct smbnode *np, i
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -337,12 +322,10 @@ smbfs_smb_query_info(struct smbnode *np,
u_int16_t wattr;
u_int32_t lint;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred,
+ &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
@@ -377,7 +360,6 @@ smbfs_smb_query_info(struct smbnode *np,
fap->fa_size = lint;
} while(0);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -394,12 +376,10 @@ smbfs_smb_setpattr(struct smbnode *np, u
u_long time;
int error, svtz;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred,
+ &rqp);
+ if (error)
+ return (error);
svtz = SSTOVC(ssp)->vc_sopt.sv_tz;
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
@@ -431,7 +411,6 @@ smbfs_smb_setpattr(struct smbnode *np, u
}
} while(0);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -554,12 +533,10 @@ smbfs_smb_setftime(struct smbnode *np, s
u_int16_t date, time;
int error, tzoff;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred,
+ &rqp);
+ if (error)
+ return (error);
tzoff = SSTOVC(ssp)->vc_sopt.sv_tz;
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
@@ -584,7 +561,6 @@ smbfs_smb_setftime(struct smbnode *np, s
error = smb_rq_simple(rqp);
SMBSDEBUG("%d\n", error);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -648,12 +624,9 @@ smbfs_smb_open(struct smbnode *np, int a
u_int16_t fid, wattr, grantedmode;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_OPEN, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_OPEN, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, accmode);
@@ -684,7 +657,6 @@ smbfs_smb_open(struct smbnode *np, int a
*/
} while(0);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
if (error)
return error;
np->n_fid = fid;
@@ -702,12 +674,9 @@ smbfs_smb_close(struct smb_share *ssp, u
u_long time;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CLOSE, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CLOSE, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&fid, sizeof(fid), MB_MSYSTEM);
@@ -721,7 +690,6 @@ smbfs_smb_close(struct smb_share *ssp, u
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -739,12 +707,9 @@ smbfs_smb_create(struct smbnode *dnp, co
u_long tm;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_FA_ARCHIVE); /* attributes */
@@ -771,7 +736,6 @@ smbfs_smb_create(struct smbnode *dnp, co
if (error)
return error;
smbfs_smb_close(ssp, fid, &ctime, scred);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -783,12 +747,9 @@ smbfs_smb_delete(struct smbnode *np, str
struct mbchain *mbp;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN);
@@ -801,7 +762,6 @@ smbfs_smb_delete(struct smbnode *np, str
error = smb_rq_simple(rqp);
}
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -814,12 +774,9 @@ smbfs_smb_rename(struct smbnode *src, st
struct mbchain *mbp;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_RENAME, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_RENAME, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN);
@@ -838,7 +795,6 @@ smbfs_smb_rename(struct smbnode *src, st
error = smb_rq_simple(rqp);
} while(0);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -851,12 +807,9 @@ smbfs_smb_move(struct smbnode *src, stru
struct mbchain *mbp;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_MOVE, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_MOVE, scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_TID_UNKNOWN);
@@ -877,7 +830,6 @@ smbfs_smb_move(struct smbnode *src, stru
error = smb_rq_simple(rqp);
} while(0);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -890,12 +842,10 @@ smbfs_smb_mkdir(struct smbnode *dnp, con
struct mbchain *mbp;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred,
+ &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
@@ -907,7 +857,6 @@ smbfs_smb_mkdir(struct smbnode *dnp, con
error = smb_rq_simple(rqp);
}
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -919,12 +868,10 @@ smbfs_smb_rmdir(struct smbnode *np, stru
struct mbchain *mbp;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred,
+ &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
@@ -936,7 +883,6 @@ smbfs_smb_rmdir(struct smbnode *np, stru
error = smb_rq_simple(rqp);
}
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
@@ -958,7 +904,7 @@ smbfs_smb_search(struct smbfs_fctx *ctx)
}
error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_SEARCH, ctx->f_scred, &rqp);
if (error)
- return error;
+ return (error);
ctx->f_rq = rqp;
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
@@ -1204,12 +1150,10 @@ smbfs_smb_findclose2(struct smbfs_fctx *
struct mbchain *mbp;
int error;
- rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
- error = smb_rq_init(rqp, SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2, ctx->f_scred);
- if (error) {
- free(rqp, M_SMBFSDATA);
- return error;
- }
+ error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2,
+ ctx->f_scred, &rqp);
+ if (error)
+ return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&ctx->f_Sid, 2, MB_MSYSTEM);
@@ -1218,7 +1162,6 @@ smbfs_smb_findclose2(struct smbfs_fctx *
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
- free(rqp, M_SMBFSDATA);
return error;
}
More information about the svn-src-all
mailing list