diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2015-02-12 12:25:37 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2015-02-12 12:25:37 +0000 |
| commit | 75c9311ee4c034cecf2951922759e0ca5f2f03ed (patch) | |
| tree | d810885d3f2105c1450ea7554a76752c21e978d9 | |
| parent | 81a6351516f1fb4936884349fd18133b0d5db7f5 (diff) | |
| parent | d0fcb88af333aa48dd2b958f3681f1b597b924cc (diff) | |
| download | illumos-joyent-75c9311ee4c034cecf2951922759e0ca5f2f03ed.tar.gz | |
[illumos-gate merge]
commit d0fcb88af333aa48dd2b958f3681f1b597b924cc
4545 _t_create(): Use after free in error code paths
commit c62da27859e36f9fdd8cee3c6df3ad567543dcf9
4539 _t_checkfd() should not call find_tilink() if force_sync is set
| -rw-r--r-- | usr/src/lib/libnsl/nsl/_utility.c | 42 |
1 files changed, 18 insertions, 24 deletions
diff --git a/usr/src/lib/libnsl/nsl/_utility.c b/usr/src/lib/libnsl/nsl/_utility.c index f01cea5c6e..994e3158ee 100644 --- a/usr/src/lib/libnsl/nsl/_utility.c +++ b/usr/src/lib/libnsl/nsl/_utility.c @@ -26,6 +26,9 @@ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ +/* + * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + */ #include "mt.h" #include <stdlib.h> @@ -82,15 +85,14 @@ _t_checkfd(int fd, int force_sync, int api_semantics) t_errno = TBADF; return (NULL); } - tiptr = NULL; - sig_mutex_lock(&_ti_userlock); - if ((tiptr = find_tilink(fd)) != NULL) { - if (!force_sync) { - sig_mutex_unlock(&_ti_userlock); + + if (!force_sync) { + sig_mutex_lock(&_ti_userlock); + tiptr = find_tilink(fd); + sig_mutex_unlock(&_ti_userlock); + if (tiptr != NULL) return (tiptr); - } } - sig_mutex_unlock(&_ti_userlock); /* * Not found or a forced sync is required. @@ -270,7 +272,7 @@ _t_register_lookevent( * signals are deferred, calls to malloc() are safe. */ if ((tlbs->tl_next = malloc(sizeof (struct _ti_lookbufs))) == - NULL) + NULL) return (-1); /* error */ tlbs = tlbs->tl_next; /* @@ -485,9 +487,9 @@ _t_do_ioctl(int fd, char *buf, int size, int cmd, int *retlenp) } if (retval > 0) { - t_errno = retval&0xff; + t_errno = retval & 0xff; if (t_errno == TSYSERR) - errno = (retval >> 8)&0xff; + errno = (retval >> 8) & 0xff; return (-1); } if (retlenp) @@ -689,7 +691,7 @@ add_tilink(int s) * duplicate entry or the end. */ for (curptr = hash_bucket[x]; curptr != NULL; - curptr = curptr->ti_next) { + curptr = curptr->ti_next) { if (curptr->ti_fd == s) { /* * This can happen when the user has close(2)'ed @@ -964,7 +966,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) errno = ENOMEM; return (NULL); } - sig_mutex_lock(&ntiptr->ti_lock); /* * Allocate buffers for the new descriptor @@ -973,7 +974,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) sv_errno = errno; (void) _t_delete_tilink(fd); t_errno = TSYSERR; - sig_mutex_unlock(&ntiptr->ti_lock); errno = sv_errno; return (NULL); } @@ -1018,7 +1018,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) if ((rstate = _t_adjust_state(fd, T_IDLE)) < 0) { sv_errno = errno; (void) _t_delete_tilink(fd); - sig_mutex_unlock(&ntiptr->ti_lock); errno = sv_errno; return (NULL); } @@ -1037,7 +1036,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) if ((rstate = _t_adjust_state(fd, T_DATAXFER)) < 0) { sv_errno = errno; (void) _t_delete_tilink(fd); - sig_mutex_unlock(&ntiptr->ti_lock); errno = sv_errno; return (NULL); } @@ -1052,7 +1050,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) if ((rstate = _t_adjust_state(fd, T_INREL)) < 0) { sv_errno = errno; (void) _t_delete_tilink(fd); - sig_mutex_unlock(&ntiptr->ti_lock); errno = sv_errno; return (NULL); } @@ -1061,7 +1058,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) default: t_errno = TSTATECHNG; (void) _t_delete_tilink(fd); - sig_mutex_unlock(&ntiptr->ti_lock); return (NULL); } @@ -1078,7 +1074,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) sv_errno = errno; (void) _t_delete_tilink(fd); t_errno = TSYSERR; - sig_mutex_unlock(&ntiptr->ti_lock); errno = sv_errno; return (NULL); } @@ -1092,7 +1087,6 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) sv_errno = errno; (void) _t_delete_tilink(fd); t_errno = TSYSERR; - sig_mutex_unlock(&ntiptr->ti_lock); errno = sv_errno; return (NULL); } @@ -1101,7 +1095,7 @@ _t_create(int fd, struct t_info *info, int api_semantics, int *t_capreq_failed) tsap->tsa_qlen = 0; /* not needed for TLI */ ntiptr->ti_qlen = tsap->tsa_qlen; - sig_mutex_unlock(&ntiptr->ti_lock); + return (ntiptr); } @@ -1162,8 +1156,8 @@ _t_adjust_state(int fd, int instate) * from the stream head. */ if ((arg.ctlbuf.len == 4) && - /* LINTED pointer cast */ - ((*(int32_t *)arg.ctlbuf.buf) == T_CONN_CON)) + /* LINTED pointer cast */ + ((*(int32_t *)arg.ctlbuf.buf) == T_CONN_CON)) outstate = T_OUTCON; break; case T_INREL: @@ -1375,7 +1369,7 @@ _t_acquire_ctlbuf( * allocate new buffer and free after use. */ if ((ctlbufp->maxlen = _t_cbuf_alloc(tiptr, - &ctlbufp->buf)) < 0) { + &ctlbufp->buf)) < 0) { t_errno = TSYSERR; return (-1); } @@ -1419,7 +1413,7 @@ _t_acquire_databuf( * allocate new buffer and free after use. */ if ((databufp->maxlen = _t_rbuf_alloc(tiptr, - &databufp->buf)) < 0) { + &databufp->buf)) < 0) { t_errno = TSYSERR; return (-1); } |