OpenAFS Master Repository branch, master, updated. openafs-devel-1_9_1-44-g966d5eb
Gerrit Code Review
gerrit@openafs.org
Tue, 29 Jun 2021 17:36:06 -0400
The following commit has been merged in the master branch:
commit 966d5eb58f1f4fb333f263f018429c3a782be344
Author: Andrew Deason <adeason@sinenomine.net>
Date: Thu Jun 17 17:15:13 2021 -0500
afs: Free pioctlToken in extractPioctlToken
Ever since it was introduced in commit 5ec5ad5 (New GetToken pioctl),
extractPioctlToken has incorrectly freed pioctlToken by passing
'&pioctlToken' to xdr_free (instead of 'pioctlToken').
This causes xdr_ktc_tokenUnion to interpret &pioctlToken (which is a
struct ktc_tokenUnion **) as a struct ktc_tokenUnion *. This doesn't
cause any corruption or panics, since ktc_tokenUnion doesn't contain
any freeable fields unless its at_type is 2 (AFSTOKEN_UNION_KAD). So
as long as the bogus 'at_type' from the misinterpreted pointer is not 2,
the xdr_free call will just not free anything (and return an error,
which we ignore).
If the bogus at_type is 2, this would probably cause some memory
corruption or other nastiness. For this to happen on 32-bit systems,
the value of the 'pioctlToken' pointer itself would need to be 0x2.
On 64-bit systems, the top or bottom 32-bits of the pointer would need
to be 0x2 (depending on endianness). Those situations seem impossible
or very unlikely on most systems, and have never been seen in the
wild.
FIXES 135238
Change-Id: Id14571d090570cfacfa920048f41c3b1e434f31c
Reviewed-on: https://gerrit.openafs.org/14651
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
src/afs/afs_tokens.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
--
OpenAFS Master Repository