| Message ID | 20221028091033.278199-1-yieli@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [V2,nfs/nfs-utils/libtirpc] clnt_raw.c: fix a possible null pointer dereference | expand |
On 10/28/22 5:10 AM, Zhi Li wrote: > Since clntraw_private could be dereferenced before > allocated, protect it by checking its value in advance. > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2138317 > Signed-off-by: Zhi Li <yieli@redhat.com> Committed... steved. > --- > src/clnt_raw.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/clnt_raw.c b/src/clnt_raw.c > index 31f9d0c..03f839d 100644 > --- a/src/clnt_raw.c > +++ b/src/clnt_raw.c > @@ -142,7 +142,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout) > struct timeval timeout; > { > struct clntraw_private *clp = clntraw_private; > - XDR *xdrs = &clp->xdr_stream; > + XDR *xdrs; > struct rpc_msg msg; > enum clnt_stat status; > struct rpc_err error; > @@ -154,6 +154,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout) > mutex_unlock(&clntraw_lock); > return (RPC_FAILED); > } > + xdrs = &clp->xdr_stream; > mutex_unlock(&clntraw_lock); > > call_again: > @@ -245,7 +246,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr) > void *res_ptr; > { > struct clntraw_private *clp = clntraw_private; > - XDR *xdrs = &clp->xdr_stream; > + XDR *xdrs; > bool_t rval; > > mutex_lock(&clntraw_lock); > @@ -254,6 +255,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr) > mutex_unlock(&clntraw_lock); > return (rval); > } > + xdrs = &clp->xdr_stream; > mutex_unlock(&clntraw_lock); > xdrs->x_op = XDR_FREE; > return ((*xdr_res)(xdrs, res_ptr));
diff --git a/src/clnt_raw.c b/src/clnt_raw.c index 31f9d0c..03f839d 100644 --- a/src/clnt_raw.c +++ b/src/clnt_raw.c @@ -142,7 +142,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout) struct timeval timeout; { struct clntraw_private *clp = clntraw_private; - XDR *xdrs = &clp->xdr_stream; + XDR *xdrs; struct rpc_msg msg; enum clnt_stat status; struct rpc_err error; @@ -154,6 +154,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout) mutex_unlock(&clntraw_lock); return (RPC_FAILED); } + xdrs = &clp->xdr_stream; mutex_unlock(&clntraw_lock); call_again: @@ -245,7 +246,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr) void *res_ptr; { struct clntraw_private *clp = clntraw_private; - XDR *xdrs = &clp->xdr_stream; + XDR *xdrs; bool_t rval; mutex_lock(&clntraw_lock); @@ -254,6 +255,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr) mutex_unlock(&clntraw_lock); return (rval); } + xdrs = &clp->xdr_stream; mutex_unlock(&clntraw_lock); xdrs->x_op = XDR_FREE; return ((*xdr_res)(xdrs, res_ptr));
Since clntraw_private could be dereferenced before allocated, protect it by checking its value in advance. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2138317 Signed-off-by: Zhi Li <yieli@redhat.com> --- src/clnt_raw.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)