NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args

commit d8ba1f97 upstream. If the call to decode_rc_list() fails due to a memory allocation error, then we need to truncate the array size to ensure that we only call kfree() on those pointer that were allocated. Reported-by: David Ramos <daramos@stanford.edu> Fixes: 4aece6a1 ("nfs41: cb_sequence xdr implementation") Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args
commit d8ba1f97 upstream. If the call to decode_rc_list() fails due to a memory allocation error, then we need to truncate the array size to ensure that we only call kfree() on those pointer that were allocated. Reported-by: David Ramos <daramos@stanford.edu> Fixes: 4aece6a1 ("nfs41: cb_sequence xdr implementation") Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
237b8a43 · Trond Myklebust · Luis Henriques · dbdfc09c · 237b8a43
Commit 237b8a43 authored Feb 11, 2015 by Trond Myklebust Committed by Luis Henriques Mar 02, 2015
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

fs/nfs/callback_xdr.c fs/nfs/callback_xdr.c +3 -1

No files found.
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -464,10 +464,12 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,

 		for (i = 0; i < args->csa_nrclists; i++) {
 			status = decode_rc_list(xdr, &args->csa_rclists[i]);
-			if (status)
+			if (status) {
+				args->csa_nrclists = i;
 				goto out_free;
 			}
 		}
+	}
 	status = 0;

 	dprintk("%s: sessionid %x:%x:%x:%x sequenceid %u slotid %u "