-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 10 Aug 2012 12:36:10 -0700
Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
> Hi folks,
>
> I have been trawling through the code to get a better understanding of
> various things and I came across this curious thing in the smb2dev
> branch in git://git.altlinux.org/people/piastry/public/cifs-2.6.git
> but it is also in the master branch, it seems.
>
> In transport.c:SendReceive (and SendReceive2 where we do similar things) we see:
>
> ...
> rc = cifs_sync_mid_result(midQ, ses->server);
> if (rc != 0) {
> add_credits(ses->server, 1, 0);
> return rc;
> }
>
Note that here we return rc here without "goto out;" whenever rc != 0.
> if (!midQ->resp_buf || !out_buf ||
> midQ->mid_state != MID_RESPONSE_RECEIVED) {
> rc = -EIO;
> cERROR(1, "Bad MID state?");
> goto out;
> }
>
> *pbytes_returned = get_rfc1002_length(midQ->resp_buf);
> memcpy(out_buf, midQ->resp_buf, *pbytes_returned + 4);
> rc = cifs_check_receive(midQ, ses->server, 0);
> ...
>
> However, at the end of cifs_sync_mid_result we see:
>
>
> DeleteMidQEntry(mid);
> return rc;
>
> and there are no early returns from cifs_sync_mid_result, it seems.
> The "mid" in the DeleteMidQEntry call is the same midQ passed to
> cifs_sync_mid_result, I believe.
>
There is an early return in the MID_RESPONSE_RECEIVED case.
> So, it looks like we have a use-after-free situation and thus a race
> to get the data out before someone else pollutes it.
>
> Is this correct or have I got the wrong end of the stick here?
>
I don't think there is a use-after-free here, but I'll freely admit
that this code could be clearer. If you care to clean it up and make it
clearer, I certainly wouldn't object.
- --
Jeff Layton <jlayton@xxxxxxxxx>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iQIcBAEBAgAGBQJQJbVxAAoJEAAOaEEZVoIVWCgP/3h9HJkRDtGWDSVxYEIFF/n/
9VpMvFj6n7wjRo87gMi69t/ouJyRBfj0ytKJ10fSCN0DONgf2ruk8xMpDNVTGFOB
oSM/9hill/x54tUz+luhJ42cO+ELZ7bskW6jFWB9uQ8uvsI3wkeD3RuIQlniS1vs
3/0eHsRdiCUuavn48pzjESWhIKtvXq5RvLju2Abb+oKmZ1T6rNAKtIAfF0UWLzug
SOlLtw+o9F+j0Iu7nC0j152PwToK2OabT/CWTMbfF0gDnpuaJmVCXWSexp80OAYS
UF1kkBwgk/1H5o9pbDmY99o9TXiopk3MmvZAqstol+ND4NFhYbBpDZc/whLnyDvb
1Memp20nuIhVh1/KetmGB45CtUe5HIsJw1KdjMxXM4uWuUlPMAqfHIc3zeZnKE7C
j9wwJQBjMAmZwIlFwLGKV92dR5UMIH5ORGCZn0uKySPSwUFMvTUDK0fy/F7L8y+q
tPVd3gwWrfBKNIdPSmwF8B/OIsqdYKGZ1cGfEUlm2NHjI5z/lA/orHPE0DegDWtd
dQ6r6W9MP274xpbWHzldBJQcozwZNSrtSGrgIUytf3NPHJThzzwamVhQZY5u5ZzQ
BE5ZTJQz8dVZMgbeCO4qQAICUz4FDVEvrF9gZZ48cbPubSS6fKyTNTnxfUo0Gce3
hmVgx73LP2ZyuXv4Zaus
=SXOl
-----END PGP SIGNATURE-----
ÿôèº{.nÇ+?·?®??+%?Ëÿ±éݶ�¥?wÿº{.nÇ+?·¥?{±ýÈ?³ø§¶�?¡Ü¨}©?²Æ zÚ&j:+v?¨þø�¯ù�®w¥þ?à2?Þ?¨èÚ&¢)ß¡«a¶Úÿÿûàz¿äz¹Þ?ú+?ù???Ý¢jÿ?wèþ�f
