Commit ba518fa5 authored by Tomas Bortoli's avatar Tomas Bortoli Committed by Kleber Sacilotto de Souza

net/9p/client.c: version pointer uninitialized

BugLink: https://bugs.launchpad.net/bugs/1792419

commit 7913690d upstream.

The p9_client_version() does not initialize the version pointer. If the
call to p9pdu_readf() returns an error and version has not been allocated
in p9pdu_readf(), then the program will jump to the "error" label and will
try to free the version pointer. If version is not initialized, free()
will be called with uninitialized, garbage data and will provoke a crash.

Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.comSigned-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
Reviewed-by: default avatarJun Piao <piaojun@huawei.com>
Reviewed-by: default avatarYiwen Jiang <jiangyiwen@huawei.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 1e47abe4
...@@ -931,7 +931,7 @@ static int p9_client_version(struct p9_client *c) ...@@ -931,7 +931,7 @@ static int p9_client_version(struct p9_client *c)
{ {
int err = 0; int err = 0;
struct p9_req_t *req; struct p9_req_t *req;
char *version; char *version = NULL;
int msize; int msize;
p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n", p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment