* NCPFS memleak/crazyness?
@ 2003-03-09 20:30 Oleg Drokin
2003-03-09 20:43 ` [PATCH] " Petr Vandrovec
0 siblings, 1 reply; 2+ messages in thread
From: Oleg Drokin @ 2003-03-09 20:30 UTC (permalink / raw)
To: alan, linux-kernel; +Cc: torvalds
Hello!
Looking at fs/ncpfs/ioctl.c (latest 2.4 bk tree), I seem to see a place
where we use userspace-pointers directly (And eventually doing kfree on
these). In NCP_IOC_SETOBJECTNAME handler, we allocated space (newname
pointer), copy stuff from userspace to there and then assign userspace
pointer to our internal structure, whoops! Or am I missing something?
Seems that following patch is needed. (Same problem is present in 2.5
and same patch should apply)
Found with help of smatch + enhanced unfree script.
Bye,
Oleg
===== fs/ncpfs/ioctl.c 1.3 vs edited =====
--- 1.3/fs/ncpfs/ioctl.c Mon Sep 9 22:36:07 2002
+++ edited/fs/ncpfs/ioctl.c Sun Mar 9 23:23:12 2003
@@ -434,7 +434,7 @@
oldprivatelen = server->priv.len;
server->auth.auth_type = user.auth_type;
server->auth.object_name_len = user.object_name_len;
- server->auth.object_name = user.object_name;
+ server->auth.object_name = newname;
server->priv.len = 0;
server->priv.data = NULL;
/* leave critical section */
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] Re: NCPFS memleak/crazyness?
2003-03-09 20:30 NCPFS memleak/crazyness? Oleg Drokin
@ 2003-03-09 20:43 ` Petr Vandrovec
0 siblings, 0 replies; 2+ messages in thread
From: Petr Vandrovec @ 2003-03-09 20:43 UTC (permalink / raw)
To: torvalds, marcelo, alan; +Cc: Oleg Drokin, linux-kernel
On Sun, Mar 09, 2003 at 11:30:48PM +0300, Oleg Drokin wrote:
> Hello!
>
> Looking at fs/ncpfs/ioctl.c (latest 2.4 bk tree), I seem to see a place
> where we use userspace-pointers directly (And eventually doing kfree on
> these). In NCP_IOC_SETOBJECTNAME handler, we allocated space (newname
> pointer), copy stuff from userspace to there and then assign userspace
> pointer to our internal structure, whoops! Or am I missing something?
>
> Seems that following patch is needed. (Same problem is present in 2.5
> and same patch should apply)
Definitely. Alan, Linus, Marcelo (alphabetically) please apply...
2.2.x should not be affected as it does not support this ioctl.
Petr Vandrovec
From Oleg Drokin:
In NCP_IOC_SETOBJECTNAME handler, we allocated space (newname pointer),
copy stuff from userspace to there and then assign userspace
pointer to our internal structure, whoops!
===== fs/ncpfs/ioctl.c 1.3 vs edited =====
--- 1.3/fs/ncpfs/ioctl.c Mon Sep 9 22:36:07 2002
+++ edited/fs/ncpfs/ioctl.c Sun Mar 9 23:23:12 2003
@@ -434,7 +434,7 @@
oldprivatelen = server->priv.len;
server->auth.auth_type = user.auth_type;
server->auth.object_name_len = user.object_name_len;
- server->auth.object_name = user.object_name;
+ server->auth.object_name = newname;
server->priv.len = 0;
server->priv.data = NULL;
/* leave critical section */
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-03-09 20:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-09 20:30 NCPFS memleak/crazyness? Oleg Drokin
2003-03-09 20:43 ` [PATCH] " Petr Vandrovec
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox