From mboxrd@z Thu Jan  1 00:00:00 1970
From: jiangyiwen <jiangyiwen@huawei.com>
Subject: Re: [V9fs-developer] [PATCH] version pointer uninitialized
Date: Wed, 11 Jul 2018 09:26:19 +0800
Message-ID: <5B455CBB.8030501@huawei.com>
References: <20180709222943.19503-1-tomasbortoli@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Cc: <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <syzkaller@googlegroups.com>,
        <v9fs-developer@lists.sourceforge.net>, <davem@davemloft.net>
To: Tomas Bortoli <tomasbortoli@gmail.com>, <ericvh@gmail.com>,
        <rminnich@sandia.gov>, <lucho@ionkov.net>
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <20180709222943.19503-1-tomasbortoli@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

On 2018/7/10 6:29, Tomas Bortoli wrote:
> The p9_client_version() does not initialize the version
> pointer. If the call to p9pdu_readf() returns an error and version has not
> been allocated in p9pdu_readf(), then the program will jump to the "error"
> label and will try to free the version pointer. If version is not
> initialized, free() will be called with uninitialized, garbage data and
> will provoke a crash.
> 
> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>

Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>

> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
> ---
>  net/9p/client.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 18c5271910dc..40f7c47f2f74 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -957,7 +957,7 @@ static int p9_client_version(struct p9_client *c)
>  {
>  	int err = 0;
>  	struct p9_req_t *req;
> -	char *version;
> +	char *version = NULL;
>  	int msize;
>  
>  	p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
>