From 48f51fc263193c5e4f2102548e2ced0ab6be462d Mon Sep 17 00:00:00 2001 From: Greg Banks Date: Tue, 20 Feb 2007 10:12:34 +1100 Subject: [PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772) Due to type confusion, when an nfsacl verison 2 'ACCESS' request finishes and tries to clean up, it calls fh_put on entiredly the wrong thing and this can cause an oops. Signed-off-by: Neil Brown Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/nfsd/nfs2acl.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c index fc95c4df6693..c318b6fc8187 100644 --- a/fs/nfsd/nfs2acl.c +++ b/fs/nfsd/nfs2acl.c @@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, u32 *p, return 1; } -static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, u32 *p, - struct nfsd_fhandle *resp) +static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, u32 *p, + struct nfsd_attrstat *resp) { fh_put(&resp->fh); return 1; } +static int nfsaclsvc_release_access(struct svc_rqst *rqstp, u32 *p, + struct nfsd3_accessres *resp) +{ + fh_put(&resp->fh); + return 1; +} + #define nfsaclsvc_decode_voidargs NULL #define nfsaclsvc_encode_voidres NULL #define nfsaclsvc_release_void NULL @@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; }; static struct svc_procedure nfsd_acl_procedures2[] = { PROC(null, void, void, void, RC_NOCACHE, ST), PROC(getacl, getacl, getacl, getacl, RC_NOCACHE, ST+1+2*(1+ACL)), - PROC(setacl, setacl, attrstat, fhandle, RC_NOCACHE, ST+AT), - PROC(getattr, fhandle, attrstat, fhandle, RC_NOCACHE, ST+AT), - PROC(access, access, access, fhandle, RC_NOCACHE, ST+AT+1), + PROC(setacl, setacl, attrstat, attrstat, RC_NOCACHE, ST+AT), + PROC(getattr, fhandle, attrstat, attrstat, RC_NOCACHE, ST+AT), + PROC(access, access, access, access, RC_NOCACHE, ST+AT+1), }; struct svc_version nfsd_acl_version2 = { -- cgit v1.2.3