d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix use after free in pipe_dtor(). PIPE_NAMED flag must be tested

Browse Source 
before pipeclose() is called, since for !PIPE_NAMED case, when peer is
already closed, the pipe pair memory is freed.

Submitted by:	luke.tw@gmail.com
PR:	197246
Tested by:	pho
MFC after:	3 days
This commit is contained in:
Konstantin Belousov 2015-02-03 10:29:40 +00:00
parent feb031ce37
commit ff5ba73987
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=278145
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sys/kern/sys_pipe.c
View File

@ -377,15 +377,16 @@ pipe_named_ctor(struct pipe **ppipe, struct thread *td)
void
pipe_dtor(struct pipe *dpipe)
{
struct pipe *peer;
ino_t ino;
ino = dpipe->pipe_ino;
peer = (dpipe->pipe_state & PIPE_NAMED) != 0 ? dpipe->pipe_peer : NULL;
funsetown(&dpipe->pipe_sigio);
pipeclose(dpipe);
if (dpipe->pipe_state & PIPE_NAMED) {
dpipe = dpipe->pipe_peer;
funsetown(&dpipe->pipe_sigio);
pipeclose(dpipe);
if (peer != NULL) {
funsetown(&peer->pipe_sigio);
pipeclose(peer);
}
if (ino != 0 && ino != (ino_t)-1)
free_unr(pipeino_unr, ino);