NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args

trondmypd · gregkh · commit 5c88a9da64fc · 2015-03-06T14:43:29.000-08:00
commit d8ba1f9 upstream. If the call to decode_rc_list() fails due to a memory allocation error, then we need to truncate the array size to ensure that we only call kfree() on those pointer that were allocated. Reported-by: David Ramos <daramos@stanford.edu> Fixes: 4aece6a ("nfs41: cb_sequence xdr implementation") Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
@@ -464,8 +464,10 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,
 
 		for (i = 0; i < args->csa_nrclists; i++) {
 			status = decode_rc_list(xdr, &args->csa_rclists[i]);
-			if (status)
+			if (status) {
+				args->csa_nrclists = i;
 				goto out_free;
+			}
 		}
 	}
 	status = 0;

Original file line number	Diff line number	Diff line change
`@@ -464,8 +464,10 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,`
`464`	`464`
`465`	`465`	`for (i = 0; i < args->csa_nrclists; i++) {`
`466`	`466`	`status = decode_rc_list(xdr, &args->csa_rclists[i]);`
`467`		`- if (status)`
	`467`	`+ if (status) {`
	`468`	`+ args->csa_nrclists = i;`
`468`	`469`	`goto out_free;`
	`470`	`+ }`
`469`	`471`	`}`
`470`	`472`	`}`
`471`	`473`	`status = 0;`