autofs4: Do not potentially dereference NULL pointer returned by fget() in autofs_dev...
authorJesper Juhl <jj@chaosbits.net>
Thu, 24 Mar 2011 17:51:37 +0000 (01:51 +0800)
committerAl Viro <viro@zeniv.linux.org.uk>
Thu, 24 Mar 2011 18:54:35 +0000 (14:54 -0400)
In fs/autofs4/dev-ioctl.c::autofs_dev_ioctl_setpipefd() we call fget(),
which may return NULL, but we do not explicitly test for that NULL return
so we may end up dereferencing a NULL pointer - bad.

When I originally submitted this patch I had chosen EBUSY as the return
value to use if this happens. Ian Kent was kind enough to explain why that
would most likely be wrong and why EBADF should most likely be used
instead. This version of the patch uses EBADF.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/autofs4/dev-ioctl.c

index 1442da4860e5ef6ad303fd5868fa70c68a5601a6..509fe1eb66ae31babcceda94ab8fd0a04268ebcb 100644 (file)
@@ -372,6 +372,10 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp,
                return -EBUSY;
        } else {
                struct file *pipe = fget(pipefd);
+               if (!pipe) {
+                       err = -EBADF;
+                       goto out;
+               }
                if (!pipe->f_op || !pipe->f_op->write) {
                        err = -EPIPE;
                        fput(pipe);