Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5d4cec2f authored by J. Bruce Fields's avatar J. Bruce Fields
Browse files

nfsd4: fix bare destroy_session null dereference 



It's legal to send a DESTROY_SESSION outside any session (as the only
operation in a compound), in which case cstate->session will be NULL;
check for that case.

While we're at it, move these checks into a separate helper function.

Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
parent 5306293c

fs/nfsd/nfs4state.c

+8 −2
Original line number Original line Diff line number Diff line
@@ -1352,6 +1352,13 @@ static bool nfsd4_last_compound_op(struct svc_rqst *rqstp) 
	return argp->opcnt == resp->opcnt;

	return argp->opcnt == resp->opcnt;

}

}





static bool nfsd4_compound_in_session(struct nfsd4_session *session, struct nfs4_sessionid *sid)

{

	if (!session)

		return 0;

	return !memcmp(sid, &session->se_sessionid, sizeof(*sid));

}



__be32

__be32

nfsd4_destroy_session(struct svc_rqst *r,

nfsd4_destroy_session(struct svc_rqst *r,

		      struct nfsd4_compound_state *cstate,

		      struct nfsd4_compound_state *cstate,
@@ -1367,8 +1374,7 @@ nfsd4_destroy_session(struct svc_rqst *r, 
	 * - Do we need to clear any callback info from previous session?

	 * - Do we need to clear any callback info from previous session?

	 */

	 */





	if (!memcmp(&sessionid->sessionid, &cstate->session->se_sessionid,

	if (nfsd4_compound_in_session(cstate->session, &sessionid->sessionid)) {

					sizeof(struct nfs4_sessionid))) {

		if (!nfsd4_last_compound_op(r))

		if (!nfsd4_last_compound_op(r))

			return nfserr_not_only_op;

			return nfserr_not_only_op;

	}

	}