ref: 42f37419b65199482a5d951bc6e451c558b3a10e
parent: cd3b567ea0629dea0f3f816af23774bc62c75bab
author: cinap_lenrek <cinap_lenrek@centraldogma>
date: Tue Sep 6 22:46:38 EDT 2011
cwfs: fix use after free bug (ai->cuid), remove waitedfor abort()
--- a/sys/src/cmd/cwfs/auth.c
+++ b/sys/src/cmd/cwfs/auth.c
@@ -143,12 +143,13 @@
if((ai = auth_getinfo(rpc)) == nil)
goto Phase;
file->uid = strtouid(ai->cuid);
- auth_freeAI(ai);
if(file->uid < 0){snprint(chan->err, sizeof(chan->err),
"unknown user '%s'", ai->cuid);
+ auth_freeAI(ai);
return -1;
}
+ auth_freeAI(ai);
return 0;
case ARok:
if(count < rpc->narg){--- a/sys/src/cmd/cwfs/portdat.h
+++ b/sys/src/cmd/cwfs/portdat.h
@@ -164,7 +164,6 @@
Rendez empty;
Rendez full;
- int waitedfor; /* flag */
char* name; /* for debugging */
int size; /* size of queue */
--- a/sys/src/cmd/cwfs/sub.c
+++ b/sys/src/cmd/cwfs/sub.c
@@ -928,7 +928,6 @@
if(q == nil)
panic("recv null q");qlock(q);
- q->waitedfor = 1;
while((c = q->count) <= 0)
rsleep(&q->empty);
i = q->loc;
@@ -950,15 +949,6 @@
if(q == nil)
panic("send null q");- if(!q->waitedfor) {- for (i = 0; i < 5 && !q->waitedfor; i++)
- sleep(1000);
- if(!q->waitedfor) {- /* likely a bug; don't wait forever */
- fprint(2, "no readers yet for %s q\n", q->name);
- abort();
- }
- }
qlock(q);
while((c = q->count) >= q->size)
rsleep(&q->full);