On Thu, 19 Jul 2007 21:09:09 -0400
Mathieu Desnoyers <[email protected]> wrote:
> Coverity spotted what looks like a real possible case of using a
> variable after it has been freed.
> The problem is in kernel/relay.c::relay_open_buf()
>
> If the code hits "goto free_buf;" it ends up in this code :
>
> free_buf:
> relay_destroy_buf(buf); <--- calls kfree() on 'buf'.
> free_name:
> kfree(tmpname);
> end:
> return buf; <-- use after free of 'buf'.
>
> I read through the callers and they all handle a NULL return
> from this function as an error (and hitting the 'free_buf' label
> only happens on failure to chan->cb->create_buf_file(), so that
> looks like a clear error to me).
>
> The patch simply sets 'buf' to NULL after the call to
> relay_destroy_buf(buf); - as far as I can see that should take
> care of the problem.
>
> The patch also corrects a reference to a documentation file while
> I was at it.
>
> Note from Mathieu: the documentation reference change should have been
> done in a separate patch, but I guess no one will really care.
>
> Signed-off-by: Jesper Juhl <[email protected]>
> Acked-by: "David J. Wilder" <[email protected]>
> Tested-by: "David J. Wilder" <[email protected]>
> Signed-off-by: Mathieu Desnoyers <[email protected]>
I'm going to infer from all this that the patch was actually written
by Jesper. Correct?
If so, it shuld have had From: Jesper Juhl <[email protected]>
right at the start of the changelog.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
