Print this page
11928 rpcmod's clnt_cots can do zero-length kmem allocations
*** 20,29 ****
--- 20,30 ----
*/
/*
* Copyright 2016 Nexenta Systems, Inc. All rights reserved.
* Copyright (c) 2016 by Delphix. All rights reserved.
+ * Copyright 2019 Joyent, Inc.
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*** 1934,1944 ****
*/
if (srcaddr->len != lru_entry->x_src.len) {
if (srcaddr->len > 0)
kmem_free(srcaddr->buf,
srcaddr->maxlen);
! srcaddr->buf = kmem_zalloc(
lru_entry->x_src.len, KM_SLEEP);
srcaddr->maxlen = srcaddr->len =
lru_entry->x_src.len;
}
bcopy(lru_entry->x_src.buf, srcaddr->buf, srcaddr->len);
--- 1935,1946 ----
*/
if (srcaddr->len != lru_entry->x_src.len) {
if (srcaddr->len > 0)
kmem_free(srcaddr->buf,
srcaddr->maxlen);
! ASSERT(lru_entry->x_src.len != 0);
! srcaddr->buf = kmem_alloc(
lru_entry->x_src.len, KM_SLEEP);
srcaddr->maxlen = srcaddr->len =
lru_entry->x_src.len;
}
bcopy(lru_entry->x_src.buf, srcaddr->buf, srcaddr->len);
*** 2089,2099 ****
* Set up a transport entry in the connection manager's list.
*/
cm_entry = (struct cm_xprt *)
kmem_zalloc(sizeof (struct cm_xprt), KM_SLEEP);
! cm_entry->x_server.buf = kmem_zalloc(destaddr->len, KM_SLEEP);
bcopy(destaddr->buf, cm_entry->x_server.buf, destaddr->len);
cm_entry->x_server.len = cm_entry->x_server.maxlen = destaddr->len;
cm_entry->x_state_flags = X_THREAD;
cm_entry->x_ref = 1;
--- 2091,2101 ----
* Set up a transport entry in the connection manager's list.
*/
cm_entry = (struct cm_xprt *)
kmem_zalloc(sizeof (struct cm_xprt), KM_SLEEP);
! cm_entry->x_server.buf = kmem_alloc(destaddr->len, KM_SLEEP);
bcopy(destaddr->buf, cm_entry->x_server.buf, destaddr->len);
cm_entry->x_server.len = cm_entry->x_server.maxlen = destaddr->len;
cm_entry->x_state_flags = X_THREAD;
cm_entry->x_ref = 1;
*** 2254,2266 ****
mutex_enter(&connmgr_lock);
/*
* Set up a transport entry in the connection manager's list.
*/
! cm_entry->x_src.buf = kmem_zalloc(srcaddr->len, KM_SLEEP);
bcopy(srcaddr->buf, cm_entry->x_src.buf, srcaddr->len);
cm_entry->x_src.len = cm_entry->x_src.maxlen = srcaddr->len;
cm_entry->x_tiptr = tiptr;
cm_entry->x_time = ddi_get_lbolt();
if (tiptr->tp_info.servtype == T_COTS_ORD)
--- 2256,2270 ----
mutex_enter(&connmgr_lock);
/*
* Set up a transport entry in the connection manager's list.
*/
! if (srcaddr->len > 0) {
! cm_entry->x_src.buf = kmem_alloc(srcaddr->len, KM_SLEEP);
bcopy(srcaddr->buf, cm_entry->x_src.buf, srcaddr->len);
cm_entry->x_src.len = cm_entry->x_src.maxlen = srcaddr->len;
+ } /* Else kmem_zalloc() of cm_entry already sets its x_src to NULL. */
cm_entry->x_tiptr = tiptr;
cm_entry->x_time = ddi_get_lbolt();
if (tiptr->tp_info.servtype == T_COTS_ORD)
*** 2438,2451 ****
* in case of a later retry.
*/
if (srcaddr->len != cm_entry->x_src.len) {
if (srcaddr->maxlen > 0)
kmem_free(srcaddr->buf, srcaddr->maxlen);
! srcaddr->buf = kmem_zalloc(cm_entry->x_src.len,
KM_SLEEP);
! srcaddr->maxlen = srcaddr->len =
! cm_entry->x_src.len;
}
bcopy(cm_entry->x_src.buf, srcaddr->buf, srcaddr->len);
}
cm_entry->x_time = ddi_get_lbolt();
mutex_exit(&connmgr_lock);
--- 2442,2455 ----
* in case of a later retry.
*/
if (srcaddr->len != cm_entry->x_src.len) {
if (srcaddr->maxlen > 0)
kmem_free(srcaddr->buf, srcaddr->maxlen);
! ASSERT(cm_entry->x_src.len != 0);
! srcaddr->buf = kmem_alloc(cm_entry->x_src.len,
KM_SLEEP);
! srcaddr->maxlen = srcaddr->len = cm_entry->x_src.len;
}
bcopy(cm_entry->x_src.buf, srcaddr->buf, srcaddr->len);
}
cm_entry->x_time = ddi_get_lbolt();
mutex_exit(&connmgr_lock);