From 42f37419b65199482a5d951bc6e451c558b3a10e Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Wed, 7 Sep 2011 02:46:38 +0200 Subject: [PATCH] cwfs: fix use after free bug (ai->cuid), remove waitedfor abort() --- sys/src/cmd/cwfs/auth.c | 3 ++- sys/src/cmd/cwfs/portdat.h | 1 - sys/src/cmd/cwfs/sub.c | 10 ---------- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/sys/src/cmd/cwfs/auth.c b/sys/src/cmd/cwfs/auth.c index 5ca644ed3..e3d51be7e 100644 --- a/sys/src/cmd/cwfs/auth.c +++ b/sys/src/cmd/cwfs/auth.c @@ -143,12 +143,13 @@ authread(File *file, uchar *data, int count) if((ai = auth_getinfo(rpc)) == nil) goto Phase; file->uid = strtouid(ai->cuid); - auth_freeAI(ai); if(file->uid < 0){ snprint(chan->err, sizeof(chan->err), "unknown user '%s'", ai->cuid); + auth_freeAI(ai); return -1; } + auth_freeAI(ai); return 0; case ARok: if(count < rpc->narg){ diff --git a/sys/src/cmd/cwfs/portdat.h b/sys/src/cmd/cwfs/portdat.h index 3b17db295..ffa510230 100644 --- a/sys/src/cmd/cwfs/portdat.h +++ b/sys/src/cmd/cwfs/portdat.h @@ -164,7 +164,6 @@ struct Queue Rendez empty; Rendez full; - int waitedfor; /* flag */ char* name; /* for debugging */ int size; /* size of queue */ diff --git a/sys/src/cmd/cwfs/sub.c b/sys/src/cmd/cwfs/sub.c index 619c7d22d..f79eca478 100644 --- a/sys/src/cmd/cwfs/sub.c +++ b/sys/src/cmd/cwfs/sub.c @@ -928,7 +928,6 @@ fs_recv(Queue *q, int) if(q == nil) panic("recv null q"); qlock(q); - q->waitedfor = 1; while((c = q->count) <= 0) rsleep(&q->empty); i = q->loc; @@ -950,15 +949,6 @@ fs_send(Queue *q, void *a) if(q == nil) panic("send null q"); - if(!q->waitedfor) { - for (i = 0; i < 5 && !q->waitedfor; i++) - sleep(1000); - if(!q->waitedfor) { - /* likely a bug; don't wait forever */ - fprint(2, "no readers yet for %s q\n", q->name); - abort(); - } - } qlock(q); while((c = q->count) >= q->size) rsleep(&q->full);