d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Fix double frees/user after free.

Browse Source 
- Allocate using smb_rq_alloc() instead of inlining it.

Reported by:	uqs
Found with:	Coverity Scan
This commit is contained in:
Davide Italiano 2013-07-03 10:31:45 +00:00
parent 4099f7e640
commit 9e9421bcdf
1 changed files with 56 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
sys/fs/smbfs/smbfs_smb.c
View File

@ -94,12 +94,10 @@ smbfs_smb_lockandx(struct smbnode *np, int op, u_int32_t pid, off_t start, off_t
if (op == SMB_LOCK_SHARED)
ltype |= SMB_LOCKING_ANDX_SHARED_LOCK;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_LOCKING_ANDX, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint8(mbp, 0xff); /* secondary command */
@ -119,7 +117,6 @@ smbfs_smb_lockandx(struct smbnode *np, int op, u_int32_t pid, off_t start, off_t
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -188,19 +185,16 @@ smbfs_smb_statfs(struct smb_share *ssp, struct statfs *sbp,
u_int16_t units, bpu, bsize, funits;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION_DISK,
scred, &rqp);
if (error)
return (error);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
smb_rq_bstart(rqp);
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
if (error) {
free(rqp, M_SMBFSDATA);
smb_rq_done(rqp);
return error;
}
@ -216,7 +210,6 @@ smbfs_smb_statfs(struct smb_share *ssp, struct statfs *sbp,
sbp->f_files = 0xffff; /* total file nodes in filesystem */
sbp->f_ffree = 0xffff; /* free file nodes in fs */
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return 0;
}
@ -260,12 +253,9 @@ smb_smb_flush(struct smbnode *np, struct smb_cred *scred)
if ((np->n_flag & NOPEN) == 0 || !SMBTOV(np) ||
SMBTOV(np)->v_type != VREG)
return 0; /* not a regular open file */
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_FLUSH, scred);
if (error) {
free(rqp, M_SMBFSDATA);
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_FLUSH, scred, &rqp);
if (error)
return (error);
}
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM);
@ -274,7 +264,6 @@ smb_smb_flush(struct smbnode *np, struct smb_cred *scred)
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
if (!error)
np->n_flag &= ~NFLUSHWIRE;
return (error);
@ -301,12 +290,9 @@ smbfs_smb_setfsize(struct smbnode *np, int newsize, struct smb_cred *scred)
return (0);
}
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_WRITE, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_WRITE, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&np->n_fid, 2, MB_MSYSTEM);
@ -320,7 +306,6 @@ smbfs_smb_setfsize(struct smbnode *np, int newsize, struct smb_cred *scred)
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -337,12 +322,10 @@ smbfs_smb_query_info(struct smbnode *np, const char *name, int len,
u_int16_t wattr;
u_int32_t lint;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_QUERY_INFORMATION, scred,
&rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
@ -377,7 +360,6 @@ smbfs_smb_query_info(struct smbnode *np, const char *name, int len,
fap->fa_size = lint;
} while(0);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -394,12 +376,10 @@ smbfs_smb_setpattr(struct smbnode *np, u_int16_t attr, struct timespec *mtime,
u_long time;
int error, svtz;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION, scred,
&rqp);
if (error)
return (error);
svtz = SSTOVC(ssp)->vc_sopt.sv_tz;
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
@ -431,7 +411,6 @@ smbfs_smb_setpattr(struct smbnode *np, u_int16_t attr, struct timespec *mtime,
}
} while(0);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -554,12 +533,10 @@ smbfs_smb_setftime(struct smbnode *np, struct timespec *mtime,
u_int16_t date, time;
int error, tzoff;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_SET_INFORMATION2, scred,
&rqp);
if (error)
return (error);
tzoff = SSTOVC(ssp)->vc_sopt.sv_tz;
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
@ -584,7 +561,6 @@ smbfs_smb_setftime(struct smbnode *np, struct timespec *mtime,
error = smb_rq_simple(rqp);
SMBSDEBUG("%d\n", error);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -648,12 +624,9 @@ smbfs_smb_open(struct smbnode *np, int accmode, struct smb_cred *scred)
u_int16_t fid, wattr, grantedmode;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_OPEN, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_OPEN, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, accmode);
@ -684,7 +657,6 @@ smbfs_smb_open(struct smbnode *np, int accmode, struct smb_cred *scred)
*/
} while(0);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
if (error)
return error;
np->n_fid = fid;
@ -702,12 +674,9 @@ smbfs_smb_close(struct smb_share *ssp, u_int16_t fid, struct timespec *mtime,
u_long time;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CLOSE, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CLOSE, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&fid, sizeof(fid), MB_MSYSTEM);
@ -721,7 +690,6 @@ smbfs_smb_close(struct smb_share *ssp, u_int16_t fid, struct timespec *mtime,
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -739,12 +707,9 @@ smbfs_smb_create(struct smbnode *dnp, const char *name, int nmlen,
u_long tm;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_FA_ARCHIVE); /* attributes */
@ -771,7 +736,6 @@ smbfs_smb_create(struct smbnode *dnp, const char *name, int nmlen,
if (error)
return error;
smbfs_smb_close(ssp, fid, &ctime, scred);
free(rqp, M_SMBFSDATA);
return error;
}
@ -783,12 +747,9 @@ smbfs_smb_delete(struct smbnode *np, struct smb_cred *scred)
struct mbchain *mbp;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN);
@ -801,7 +762,6 @@ smbfs_smb_delete(struct smbnode *np, struct smb_cred *scred)
error = smb_rq_simple(rqp);
}
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -814,12 +774,9 @@ smbfs_smb_rename(struct smbnode *src, struct smbnode *tdnp,
struct mbchain *mbp;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_RENAME, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_RENAME, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_FA_SYSTEM | SMB_FA_HIDDEN);
@ -838,7 +795,6 @@ smbfs_smb_rename(struct smbnode *src, struct smbnode *tdnp,
error = smb_rq_simple(rqp);
} while(0);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -851,12 +807,9 @@ smbfs_smb_move(struct smbnode *src, struct smbnode *tdnp,
struct mbchain *mbp;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_MOVE, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_MOVE, scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_uint16le(mbp, SMB_TID_UNKNOWN);
@ -877,7 +830,6 @@ smbfs_smb_move(struct smbnode *src, struct smbnode *tdnp,
error = smb_rq_simple(rqp);
} while(0);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -890,12 +842,10 @@ smbfs_smb_mkdir(struct smbnode *dnp, const char *name, int len,
struct mbchain *mbp;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_CREATE_DIRECTORY, scred,
&rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
@ -907,7 +857,6 @@ smbfs_smb_mkdir(struct smbnode *dnp, const char *name, int len,
error = smb_rq_simple(rqp);
}
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -919,12 +868,10 @@ smbfs_smb_rmdir(struct smbnode *np, struct smb_cred *scred)
struct mbchain *mbp;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ssp), SMB_COM_DELETE_DIRECTORY, scred,
&rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
smb_rq_wend(rqp);
@ -936,7 +883,6 @@ smbfs_smb_rmdir(struct smbnode *np, struct smb_cred *scred)
error = smb_rq_simple(rqp);
}
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}
@ -958,7 +904,7 @@ smbfs_smb_search(struct smbfs_fctx *ctx)
}
error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_SEARCH, ctx->f_scred, &rqp);
if (error)
return error;
return (error);
ctx->f_rq = rqp;
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
@ -1204,12 +1150,10 @@ smbfs_smb_findclose2(struct smbfs_fctx *ctx)
struct mbchain *mbp;
int error;
rqp = malloc(sizeof(struct smb_rq), M_SMBFSDATA, M_WAITOK);
error = smb_rq_init(rqp, SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2, ctx->f_scred);
if (error) {
free(rqp, M_SMBFSDATA);
return error;
}
error = smb_rq_alloc(SSTOCP(ctx->f_ssp), SMB_COM_FIND_CLOSE2,
ctx->f_scred, &rqp);
if (error)
return (error);
smb_rq_getrequest(rqp, &mbp);
smb_rq_wstart(rqp);
mb_put_mem(mbp, (caddr_t)&ctx->f_Sid, 2, MB_MSYSTEM);
@ -1218,7 +1162,6 @@ smbfs_smb_findclose2(struct smbfs_fctx *ctx)
smb_rq_bend(rqp);
error = smb_rq_simple(rqp);
smb_rq_done(rqp);
free(rqp, M_SMBFSDATA);
return error;
}