commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
that causes callers of svc_getargs() to crash when svc_freeargs() frees
args points that are allocated on the stack.
svc_getargs() should let the callers do the freeing and not make any
assumptions on the type of memory passed in.
Also see:
https://bugzilla.redhat.com/show_bug.cgi?id=948378
and
CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash
Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
---
src/svc_dg.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/svc_dg.c b/src/svc_dg.c
index b1ac462..6e00191 100644
--- a/src/svc_dg.c
+++ b/src/svc_dg.c
@@ -284,7 +284,6 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
{
if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
xdr_args, args_ptr)) {
- (void)svc_freeargs(xprt, xdr_args, args_ptr);
return FALSE;
}
return TRUE;
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
