Author: kib
Date: Mon Jul 14 08:45:29 2014
New Revision: 268608
URL: http://svnweb.freebsd.org/changeset/base/268608
Log:
The tmpfs_link() must not dereference the filesystem-specific data for
a vnode until it is verified that the vnode indeed belongs to tmpfs
mount. Otherwise, it might access random memory, at least in the
debug kernel.
Reported and tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Modified:
head/sys/fs/tmpfs/tmpfs_vnops.c
Modified: head/sys/fs/tmpfs/tmpfs_vnops.c
==============================================================================
--- head/sys/fs/tmpfs/tmpfs_vnops.c Mon Jul 14 08:41:13 2014
(r268607)
+++ head/sys/fs/tmpfs/tmpfs_vnops.c Mon Jul 14 08:45:29 2014
(r268608)
@@ -570,8 +570,6 @@ tmpfs_link(struct vop_link_args *v)
MPASS(cnp->cn_flags & HASBUF);
MPASS(dvp != vp); /* XXX When can this be false? */
- node = VP_TO_TMPFS_NODE(vp);
-
/* XXX: Why aren't the following two tests done by the caller? */
/* Hard links of directories are forbidden. */
@@ -586,6 +584,8 @@ tmpfs_link(struct vop_link_args *v)
goto out;
}
+ node = VP_TO_TMPFS_NODE(vp);
+
/* Ensure that we do not overflow the maximum number of links imposed
* by the system. */
MPASS(node->tn_links <= LINK_MAX);
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
