Mini-OS: fix 9pfs frontend error path

The early error exit in p9_stat() returns without zeroing the p9_stat
buffer, resulting in free() being called with an uninitialized pointer.

Fix that by calling free_stat() in p9_stat() in case of returning an
error and potentially having allocated strings.

Reported-by: Julien Grall <julien@xen.org>
Fixes: 2d1dfccd3aa3 ("Mini-OS: add read and write support to 9pfsfront")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

diff --git a/9pfront.c b/9pfront.c
index 315089bc351d0aecdcae023b6294bb406a2cb436..042879a7d86c15c3e48f62ec5cff5ca3c0d21522 100644 (file)
--- a/9pfront.c
+++ b/9pfront.c
@@ -728,6 +728,8 @@ static int p9_stat(struct dev_9pfs *dev, uint32_t fid, struct p9_stat *stat)
            &stat->extension, &stat->n_uid, &stat->n_gid, &stat->n_muid);
 
     ret = req->result;
+    if ( ret )
+        free_stat(&stat);
 
     put_free_req(dev, req);
 
@@ -932,13 +934,13 @@ static int write_9pfs(struct file *file, const void *buf, size_t nbytes)
     if ( f9pfs->append )
     {
         ret = p9_stat(f9pfs->dev, f9pfs->fid, &stat);
-        free_stat(&stat);
         if ( ret )
         {
             errno = EIO;
             return -1;
         }
         file->offset = stat.length;
+        free_stat(&stat);
     }
 
     ret = p9_write(f9pfs->dev, f9pfs->fid, file->offset, buf, nbytes);