EliasFleckenstein03
/
plan9front
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cwfs: fix use after free bug (ai->cuid), remove waitedfor abort()

front
cinap_lenrek 2011-09-07 02:46:38 +02:00
parent cd3b567ea0
commit 42f37419b6
3 changed files with 2 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/src/cmd/cwfs/auth.c
View File

@ -143,12 +143,13 @@ authread(File *file, uchar *data, int count)
if((ai = auth_getinfo(rpc)) == nil) if((ai = auth_getinfo(rpc)) == nil)
goto Phase; goto Phase;
file->uid = strtouid(ai->cuid); file->uid = strtouid(ai->cuid);
auth_freeAI(ai);
if(file->uid < 0){ if(file->uid < 0){
snprint(chan->err, sizeof(chan->err), snprint(chan->err, sizeof(chan->err),
"unknown user '%s'", ai->cuid); "unknown user '%s'", ai->cuid);
auth_freeAI(ai);
return -1; return -1;
} }
auth_freeAI(ai);
return 0; return 0;
case ARok: case ARok:
if(count < rpc->narg){ if(count < rpc->narg){

1
sys/src/cmd/cwfs/portdat.h
View File

@ -164,7 +164,6 @@ struct Queue
Rendez empty; Rendez empty;
Rendez full; Rendez full;
int waitedfor; /* flag */
char* name; /* for debugging */ char* name; /* for debugging */
int size; /* size of queue */ int size; /* size of queue */

10
sys/src/cmd/cwfs/sub.c
View File

@ -928,7 +928,6 @@ fs_recv(Queue *q, int)
if(q == nil) if(q == nil)
panic("recv null q"); panic("recv null q");
qlock(q); qlock(q);
q->waitedfor = 1;
while((c = q->count) <= 0) while((c = q->count) <= 0)
rsleep(&q->empty); rsleep(&q->empty);
i = q->loc; i = q->loc;
@ -950,15 +949,6 @@ fs_send(Queue *q, void *a)
if(q == nil) if(q == nil)
panic("send null q"); panic("send null q");
if(!q->waitedfor) {
for (i = 0; i < 5 && !q->waitedfor; i++)
sleep(1000);
if(!q->waitedfor) {
/* likely a bug; don't wait forever */
fprint(2, "no readers yet for %s q\n", q->name);
abort();
}
}
qlock(q); qlock(q);
while((c = q->count) >= q->size) while((c = q->count) >= q->size)
rsleep(&q->full); rsleep(&q->full);