nfsd: Fix use-after-free in NFS4 lock test service

Trivial use-after-free where stp was freed too soon in the non-error path. To fix, simply move its release to the end of the routine. Reported by: Coverity CID: 1006105 Sponsored by: EMC / Isilon Storage Division
2016-05-12 05:03:12 +00:00 · 2016-05-12 05:03:12 +00:00 · 5ecc225fc5
commit 5ecc225fc5
parent 5c4eb89746
1 changed files with 2 additions and 2 deletions
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram,
 	if (!nd->nd_repstat)
 	  nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
 	    &stateid, exp, nd, p);
-	if (stp)
-		FREE((caddr_t)stp, M_NFSDSTATE);
 	if (nd->nd_repstat) {
 	    if (nd->nd_repstat == NFSERR_DENIED) {
 		NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, __unused int isdgram,
 	    }
 	}
 	vput(vp);
+	if (stp)
+		FREE((caddr_t)stp, M_NFSDSTATE);
 	NFSEXITCODE2(0, nd);
 	return (0);
 nfsmout: