Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Fix some potential kernel leaks, 2025-05-07
Posted by Anonymous on Wed 7th May 2025 16:00
raw | new post

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
From fe203d8a9c60660dd167e44bb98b6e105549aaaa Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 7 May 2025 12:24:20 +0200 Subject: [PATCH 1/3] sys: Make sure Mdl mappings and locked memory pages are only released/freed once Make sure Mdl mappings and locked memory pages are only released/freed once. Reported-by: Dan Shelton <dan.f.shelton@gmail.com> Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41sys_dir.c | 4 +- sys/nfs41sys_fsctl.c | 4 +- sys/nfs41sys_openclose.c | 5 ++- sys/nfs41sys_readwrite.c | 5 ++- sys/nfs41sys_updowncall.c | 86 +++++++++++++++++++++++++++++++++++++-- 5 files changed, 96 insertions(+), 8 deletions(-) diff --git a/sys/nfs41sys_dir.c b/sys/nfs41sys_dir.c index 4d0681d..fc71eef 100644 --- a/sys/nfs41sys_dir.c +++ b/sys/nfs41sys_dir.c @@ -1,6 +1,6 @@ /* NFSv4.1 client for Windows * Copyright (C) 2012 The Regents of the University of Michigan - * Copyright (C) 2023-2024 Roland Mainz <roland.mainz@nrubsig.org> + * Copyright (C) 2023-2025 Roland Mainz <roland.mainz@nrubsig.org> * * Olga Kornievskaia <aglo@umich.edu> * Casey Bodley <cbodley@umich.edu> @@ -149,6 +149,7 @@ NTSTATUS unmarshal_nfs41_dirquery( *buf += sizeof(ULONG); __try { MmUnmapLockedPages(cur->u.QueryFile.mdl_buf, cur->u.QueryFile.mdl); + cur->u.QueryFile.mdl_buf = NULL; } __except(EXCEPTION_EXECUTE_HANDLER) { NTSTATUS code; code = GetExceptionCode(); @@ -317,6 +318,7 @@ NTSTATUS nfs41_QueryDirectory( status = map_querydir_errors(entry->status); } IoFreeMdl(entry->u.QueryFile.mdl); + entry->u.QueryFile.mdl = NULL; nfs41_UpcallDestroy(entry); out: #ifdef ENABLE_TIMINGS diff --git a/sys/nfs41sys_fsctl.c b/sys/nfs41sys_fsctl.c index 3f401ec..bc7ea2b 100644 --- a/sys/nfs41sys_fsctl.c +++ b/sys/nfs41sys_fsctl.c @@ -317,10 +317,12 @@ NTSTATUS unmarshal_nfs41_queryallocatedranges( NTSTATUS status = STATUS_SUCCESS; __try { - if (cur->u.QueryAllocatedRanges.Buffer) + if (cur->u.QueryAllocatedRanges.Buffer) { MmUnmapLockedPages( cur->u.QueryAllocatedRanges.Buffer, cur->u.QueryAllocatedRanges.BufferMdl); + cur->u.QueryAllocatedRanges.Buffer = NULL; + } } __except(EXCEPTION_EXECUTE_HANDLER) { print_error("unmarshal_nfs41_queryallocatedranges: " "MmUnmapLockedPages thrown exception=0x%lx\n", diff --git a/sys/nfs41sys_openclose.c b/sys/nfs41sys_openclose.c index 9334701..50cdc15 100644 --- a/sys/nfs41sys_openclose.c +++ b/sys/nfs41sys_openclose.c @@ -252,8 +252,10 @@ NTSTATUS unmarshal_nfs41_open( NTSTATUS status = STATUS_SUCCESS; __try { - if (cur->u.Open.EaBuffer) + if (cur->u.Open.EaBuffer) { MmUnmapLockedPages(cur->u.Open.EaBuffer, cur->u.Open.EaMdl); + cur->u.Open.EaBuffer = NULL; + } } __except(EXCEPTION_EXECUTE_HANDLER) { print_error("MmUnmapLockedPages thrown exception=0x%lx\n", (long)GetExceptionCode()); @@ -726,6 +728,7 @@ retry_on_link: if (entry->u.Open.EaMdl) { MmUnlockPages(entry->u.Open.EaMdl); IoFreeMdl(entry->u.Open.EaMdl); + entry->u.Open.EaMdl = NULL; } if (status) goto out; diff --git a/sys/nfs41sys_readwrite.c b/sys/nfs41sys_readwrite.c index ba6f3db..6f5c8fb 100644 --- a/sys/nfs41sys_readwrite.c +++ b/sys/nfs41sys_readwrite.c @@ -179,7 +179,10 @@ NTSTATUS unmarshal_nfs41_rw( * is already locked. */ __try { - MmUnmapLockedPages(cur->buf, cur->u.ReadWrite.MdlAddress); + if (cur->buf) { + MmUnmapLockedPages(cur->buf, cur->u.ReadWrite.MdlAddress); + cur->buf = NULL; + } } __except(EXCEPTION_EXECUTE_HANDLER) { NTSTATUS code; code = GetExceptionCode(); diff --git a/sys/nfs41sys_updowncall.c b/sys/nfs41sys_updowncall.c index 5e2edee..ca130cf 100644 --- a/sys/nfs41sys_updowncall.c +++ b/sys/nfs41sys_updowncall.c @@ -402,6 +402,28 @@ NTSTATUS nfs41_UpcallCreate( ObReferenceObject(entry->psec_ctx_clienttoken); } + if (entry) { + /* Clear fields used for memory mappings */ + switch(entry->opcode) { + case NFS41_SYSOP_WRITE: + case NFS41_SYSOP_READ: + entry->buf = NULL; + break; + case NFS41_SYSOP_DIR_QUERY: + entry->u.QueryFile.mdl_buf = NULL; + entry->u.QueryFile.mdl = NULL; + break; + case NFS41_SYSOP_OPEN: + entry->u.Open.EaBuffer = NULL; + entry->u.Open.EaMdl = NULL; + break; + case NFS41_SYSOP_FSCTL_QUERYALLOCATEDRANGES: + entry->u.QueryAllocatedRanges.Buffer = NULL; + entry->u.QueryAllocatedRanges.BufferMdl = NULL; + break; + } + } + *entry_out = entry; out: return status; @@ -412,6 +434,52 @@ void nfs41_UpcallDestroy(nfs41_updowncall_entry *entry) if (!entry) return; +#if defined(_DEBUG) + switch(entry->opcode) { + case NFS41_SYSOP_WRITE: + case NFS41_SYSOP_READ: + if (entry->buf) { + DbgP("nfs41_UpcallDestroy: NFS41_SYSOP_RW mapping leak\n"); + MmUnmapLockedPages(entry->buf, entry->u.ReadWrite.MdlAddress); + entry->buf = NULL; + } + break; + case NFS41_SYSOP_DIR_QUERY: + if (entry->u.QueryFile.mdl) { + DbgP("nfs41_UpcallDestroy: " + "NFS41_SYSOP_DIR_QUERY mapping leak\n"); + MmUnmapLockedPages(entry->u.QueryFile.mdl_buf, + entry->u.QueryFile.mdl); + IoFreeMdl(entry->u.QueryFile.mdl); + entry->u.QueryFile.mdl_buf = NULL; + entry->u.QueryFile.mdl = NULL; + } + break; + case NFS41_SYSOP_OPEN: + if (entry->u.Open.EaMdl) { + DbgP("nfs41_UpcallDestroy: NFS41_SYSOP_OPEN mapping leak\n"); + MmUnmapLockedPages(entry->u.Open.EaBuffer, + entry->u.Open.EaMdl); + IoFreeMdl(entry->u.Open.EaMdl); + entry->u.Open.EaBuffer = NULL; + entry->u.Open.EaMdl = NULL; + } + break; + case NFS41_SYSOP_FSCTL_QUERYALLOCATEDRANGES: + if (entry->u.QueryAllocatedRanges.BufferMdl) { + DbgP("nfs41_UpcallDestroy: " + "NFS41_SYSOP_FSCTL_QUERYALLOCATEDRANGES mapping leak\n"); + MmUnmapLockedPages( + entry->u.QueryAllocatedRanges.Buffer, + entry->u.QueryAllocatedRanges.BufferMdl); + IoFreeMdl(entry->u.QueryAllocatedRanges.BufferMdl); + entry->u.QueryAllocatedRanges.Buffer = NULL; + entry->u.QueryAllocatedRanges.BufferMdl = NULL; + } + break; + } +#endif /* _DEBUG */ + if (entry->psec_ctx_clienttoken) { ObDereferenceObject(entry->psec_ctx_clienttoken); } @@ -596,18 +664,27 @@ NTSTATUS nfs41_downcall( switch(cur->opcode) { case NFS41_SYSOP_WRITE: case NFS41_SYSOP_READ: - MmUnmapLockedPages(cur->buf, cur->u.ReadWrite.MdlAddress); + if (cur->buf) { + MmUnmapLockedPages(cur->buf, cur->u.ReadWrite.MdlAddress); + cur->buf = NULL; + } break; case NFS41_SYSOP_DIR_QUERY: - MmUnmapLockedPages(cur->u.QueryFile.mdl_buf, + if (cur->u.QueryFile.mdl) { + MmUnmapLockedPages(cur->u.QueryFile.mdl_buf, cur->u.QueryFile.mdl); - IoFreeMdl(cur->u.QueryFile.mdl); + IoFreeMdl(cur->u.QueryFile.mdl); + cur->u.QueryFile.mdl_buf = NULL; + cur->u.QueryFile.mdl = NULL; + } break; case NFS41_SYSOP_OPEN: if (cur->u.Open.EaMdl) { MmUnmapLockedPages(cur->u.Open.EaBuffer, - cur->u.Open.EaMdl); + cur->u.Open.EaMdl); IoFreeMdl(cur->u.Open.EaMdl); + cur->u.Open.EaBuffer = NULL; + cur->u.Open.EaMdl = NULL; } break; case NFS41_SYSOP_FSCTL_QUERYALLOCATEDRANGES: @@ -616,6 +693,7 @@ NTSTATUS nfs41_downcall( cur->u.QueryAllocatedRanges.Buffer, cur->u.QueryAllocatedRanges.BufferMdl); IoFreeMdl(cur->u.QueryAllocatedRanges.BufferMdl); + cur->u.QueryAllocatedRanges.Buffer = NULL; cur->u.QueryAllocatedRanges.BufferMdl = NULL; } break; -- 2.45.1 From 2b9c0476d623e848ffdabf42caa39a2e38fc2541 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 7 May 2025 13:29:05 +0200 Subject: [PATCH 2/3] sys: Make sure we do not free an |nfs41_updowncall_entry| which got a timeout Make sure we do not free an |nfs41_updowncall_entry| which got a timeout, otherwise we would crash later when the userland daemon does the downcall. Reported-by: Dan Shelton <dan.f.shelton@gmail.com> Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41sys_acl.c | 12 ++++++++++-- sys/nfs41sys_dir.c | 6 +++++- sys/nfs41sys_driver.c | 6 +++++- sys/nfs41sys_ea.c | 18 +++++++++++++++--- sys/nfs41sys_fileinfo.c | 10 +++++++--- sys/nfs41sys_fsctl.c | 4 +++- sys/nfs41sys_lock.c | 12 ++++++++++-- sys/nfs41sys_mount.c | 6 +++++- sys/nfs41sys_openclose.c | 12 ++++++++++-- sys/nfs41sys_readwrite.c | 12 ++++++++++-- sys/nfs41sys_symlink.c | 12 ++++++++++-- sys/nfs41sys_volinfo.c | 6 +++++- 12 files changed, 95 insertions(+), 21 deletions(-) diff --git a/sys/nfs41sys_acl.c b/sys/nfs41sys_acl.c index 1d64293..2758fbf 100644 --- a/sys/nfs41sys_acl.c +++ b/sys/nfs41sys_acl.c @@ -266,7 +266,11 @@ NTSTATUS nfs41_QuerySecurityInformation( entry->buf_len = RxContext->CurrentIrpSp->Parameters.QuerySecurity.Length; status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (entry->status == STATUS_BUFFER_TOO_SMALL) { #ifdef DEBUG_ACL_QUERY @@ -406,7 +410,11 @@ NTSTATUS nfs41_SetSecurityInformation( #endif status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } status = map_query_acl_error(entry->status); if (!status) { diff --git a/sys/nfs41sys_dir.c b/sys/nfs41sys_dir.c index fc71eef..4faedef 100644 --- a/sys/nfs41sys_dir.c +++ b/sys/nfs41sys_dir.c @@ -294,7 +294,11 @@ NTSTATUS nfs41_QueryDirectory( MmUnlockPages(entry->u.QueryFile.mdl); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (entry->status == STATUS_BUFFER_TOO_SMALL) { DbgP("nfs41_QueryDirectory: buffer too small provided %d need %lu\n", diff --git a/sys/nfs41sys_driver.c b/sys/nfs41sys_driver.c index 43f0706..50f37a1 100644 --- a/sys/nfs41sys_driver.c +++ b/sys/nfs41sys_driver.c @@ -321,7 +321,11 @@ NTSTATUS nfs41_shutdown_daemon( SeDeleteClientSecurity(entry->psec_ctx); } entry->psec_ctx = NULL; - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } nfs41_UpcallDestroy(entry); out: diff --git a/sys/nfs41sys_ea.c b/sys/nfs41sys_ea.c index b5f12c3..719c41e 100644 --- a/sys/nfs41sys_ea.c +++ b/sys/nfs41sys_ea.c @@ -380,7 +380,11 @@ NTSTATUS nfs41_SetEaInformation( entry->buf_len = buflen; status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } #ifdef ENABLE_TIMINGS if (entry->status == STATUS_SUCCESS) { InterlockedIncrement(&setexattr.sops); @@ -483,7 +487,11 @@ NTSTATUS QueryCygwinSymlink( entry->u.Symlink.target = &TargetName; status = nfs41_UpcallWaitForReply(entry, VNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } status = map_setea_error(entry->status); if (status == STATUS_SUCCESS) { @@ -639,7 +647,11 @@ NTSTATUS nfs41_QueryEaInformation( entry->u.QueryEa.ReturnSingleEntry = RxContext->QueryEa.ReturnSingleEntry; status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (entry->status == STATUS_SUCCESS) { switch (entry->u.QueryEa.Overflow) { diff --git a/sys/nfs41sys_fileinfo.c b/sys/nfs41sys_fileinfo.c index e5bd1a0..905096e 100644 --- a/sys/nfs41sys_fileinfo.c +++ b/sys/nfs41sys_fileinfo.c @@ -401,8 +401,8 @@ NTSTATUS nfs41_QueryFileInformation( status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); if (status) { - print_error("nfs41_UpcallWaitForReply() failed, status=0x%lx\n", - (long)status); + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; goto out; } @@ -743,7 +743,11 @@ NTSTATUS nfs41_SetFileInformation( #endif status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } status = map_setfile_error(entry->status); if (!status) { diff --git a/sys/nfs41sys_fsctl.c b/sys/nfs41sys_fsctl.c index bc7ea2b..0803229 100644 --- a/sys/nfs41sys_fsctl.c +++ b/sys/nfs41sys_fsctl.c @@ -193,6 +193,7 @@ NTSTATUS nfs41_QueryAllocatedRanges( status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); if (status) { /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; goto out; } @@ -512,6 +513,7 @@ NTSTATUS nfs41_SetZeroData( status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); if (status) { /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; goto out; } @@ -740,9 +742,9 @@ NTSTATUS nfs41_DuplicateData( duplicatedatabuffer->ByteCount.QuadPart; status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) { /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; goto out; } diff --git a/sys/nfs41sys_lock.c b/sys/nfs41sys_lock.c index e6a2016..4f71120 100644 --- a/sys/nfs41sys_lock.c +++ b/sys/nfs41sys_lock.c @@ -311,7 +311,11 @@ NTSTATUS nfs41_Lock( retry_upcall: status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } /* blocking locks keep trying until it succeeds */ if (entry->status == ERROR_LOCK_FAILED && entry->u.Lock.blocking) { @@ -436,7 +440,11 @@ NTSTATUS nfs41_Unlock( } status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } status = map_lock_errors(entry->status); RxContext->CurrentIrp->IoStatus.Status = status; diff --git a/sys/nfs41sys_mount.c b/sys/nfs41sys_mount.c index 5a78eb8..8f4fa40 100644 --- a/sys/nfs41sys_mount.c +++ b/sys/nfs41sys_mount.c @@ -277,7 +277,11 @@ NTSTATUS nfs41_mount( SeDeleteClientSecurity(entry->psec_ctx); } entry->psec_ctx = NULL; - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } *session = entry->session; if (entry->u.Mount.lease_time > config->timeout) config->timeout = entry->u.Mount.lease_time; diff --git a/sys/nfs41sys_openclose.c b/sys/nfs41sys_openclose.c index 50cdc15..972a2c7 100644 --- a/sys/nfs41sys_openclose.c +++ b/sys/nfs41sys_openclose.c @@ -731,7 +731,11 @@ retry_on_link: entry->u.Open.EaMdl = NULL; } - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (entry->status == NO_ERROR && entry->errno == ERROR_REPARSE) { /* symbolic link handling. when attempting to open a symlink when the @@ -1164,7 +1168,11 @@ NTSTATUS nfs41_CloseSrvOpen( entry->u.Close.renamed = nfs41_fcb->Renamed; status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } /* map windows ERRORs to NTSTATUS */ status = map_close_errors(entry->status); diff --git a/sys/nfs41sys_readwrite.c b/sys/nfs41sys_readwrite.c index 6f5c8fb..2cfcf7c 100644 --- a/sys/nfs41sys_readwrite.c +++ b/sys/nfs41sys_readwrite.c @@ -271,7 +271,11 @@ NTSTATUS nfs41_Read( io_delay = pVNetRootContext->timeout + EXTRA_TIMEOUT_PER_BYTE(entry->buf_len); status = nfs41_UpcallWaitForReply(entry, io_delay); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (async) { #ifdef DEBUG_READ @@ -389,7 +393,11 @@ NTSTATUS nfs41_Write( io_delay = pVNetRootContext->timeout + EXTRA_TIMEOUT_PER_BYTE(entry->buf_len); status = nfs41_UpcallWaitForReply(entry, io_delay); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (async) { #ifdef DEBUG_WRITE diff --git a/sys/nfs41sys_symlink.c b/sys/nfs41sys_symlink.c index fffcde7..d92281a 100644 --- a/sys/nfs41sys_symlink.c +++ b/sys/nfs41sys_symlink.c @@ -409,7 +409,11 @@ NTSTATUS nfs41_SetSymlinkReparsePoint( entry->u.Symlink.target = &TargetName; status = nfs41_UpcallWaitForReply(entry, VNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } status = map_symlink_errors(entry->status); out: @@ -588,7 +592,11 @@ NTSTATUS nfs41_GetSymlinkReparsePoint( entry->u.Symlink.target = &TargetName; status = nfs41_UpcallWaitForReply(entry, VNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } status = map_symlink_errors(entry->status); if (status == STATUS_SUCCESS) { diff --git a/sys/nfs41sys_volinfo.c b/sys/nfs41sys_volinfo.c index d4a0eeb..7d58020 100644 --- a/sys/nfs41sys_volinfo.c +++ b/sys/nfs41sys_volinfo.c @@ -249,7 +249,11 @@ NTSTATUS nfs41_QueryVolumeInformation( entry->buf_len = RxContext->Info.LengthRemaining; status = nfs41_UpcallWaitForReply(entry, pVNetRootContext->timeout); - if (status) goto out; + if (status) { + /* Timeout - |nfs41_downcall()| will free |entry|+contents */ + entry = NULL; + goto out; + } if (entry->status == STATUS_BUFFER_TOO_SMALL) { RxContext->InformationToReturn = entry->buf_len; -- 2.45.1 From 9b45c9d9c198201594b5dd067bdb67eeea9f2efa Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 7 May 2025 16:13:24 +0200 Subject: [PATCH 3/3] sys: Make sure we do not leak |nfs41_updowncall_entry| Make sure we do not leak |nfs41_updowncall_entry|. Reported-by: Dan Shelton <dan.f.shelton@gmail.com> Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41sys_acl.c | 14 +++++++++----- sys/nfs41sys_dir.c | 7 ++++--- sys/nfs41sys_ea.c | 20 ++++++++++++-------- sys/nfs41sys_fileinfo.c | 12 ++++++++---- sys/nfs41sys_fsctl.c | 9 ++++----- sys/nfs41sys_lock.c | 12 ++++++++---- sys/nfs41sys_mount.c | 12 ++++++++---- sys/nfs41sys_openclose.c | 29 +++++++++++++++-------------- sys/nfs41sys_readwrite.c | 14 ++++++++++---- sys/nfs41sys_symlink.c | 6 ++++-- sys/nfs41sys_volinfo.c | 8 +++++--- 11 files changed, 87 insertions(+), 56 deletions(-) diff --git a/sys/nfs41sys_acl.c b/sys/nfs41sys_acl.c index 2758fbf..c468433 100644 --- a/sys/nfs41sys_acl.c +++ b/sys/nfs41sys_acl.c @@ -1,6 +1,6 @@ /* NFSv4.1 client for Windows * Copyright (C) 2012 The Regents of the University of Michigan - * Copyright (C) 2023-2024 Roland Mainz <roland.mainz@nrubsig.org> + * Copyright (C) 2023-2025 Roland Mainz <roland.mainz@nrubsig.org> * * Olga Kornievskaia <aglo@umich.edu> * Casey Bodley <cbodley@umich.edu> @@ -204,7 +204,7 @@ NTSTATUS nfs41_QuerySecurityInformation( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_NOT_SUPPORTED; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; __notnull PNFS41_FOBX nfs41_fobx = NFS41GetFobxExtension(RxContext->pFobx); __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; __notnull PNFS41_V_NET_ROOT_EXTENSION pVNetRootContext = @@ -304,8 +304,10 @@ NTSTATUS nfs41_QuerySecurityInformation( } else { status = map_query_acl_error(entry->status); } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); /* only count getacl that we made an upcall for */ @@ -353,7 +355,7 @@ NTSTATUS nfs41_SetSecurityInformation( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_NOT_SUPPORTED; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; __notnull PNFS41_FOBX nfs41_fobx = NFS41GetFobxExtension(RxContext->pFobx); __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; __notnull PNFS41_V_NET_ROOT_EXTENSION pVNetRootContext = @@ -424,8 +426,10 @@ NTSTATUS nfs41_SetSecurityInformation( nfs41_update_fcb_list(RxContext->pFcb, entry->ChangeTime); nfs41_fcb->changeattr = entry->ChangeTime; } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&setacl.tops); diff --git a/sys/nfs41sys_dir.c b/sys/nfs41sys_dir.c index 4faedef..1e9f581 100644 --- a/sys/nfs41sys_dir.c +++ b/sys/nfs41sys_dir.c @@ -220,7 +220,7 @@ NTSTATUS nfs41_QueryDirectory( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_INVALID_PARAMETER; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; FILE_INFORMATION_CLASS InfoClass = RxContext->Info.FileInformationClass; PUNICODE_STRING Filter = &RxContext->pFobx->UnicodeQueryTemplate; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -271,7 +271,6 @@ NTSTATUS nfs41_QueryDirectory( RxContext->Info.LengthRemaining, FALSE, FALSE, NULL); if (entry->u.QueryFile.mdl == NULL) { status = STATUS_INTERNAL_ERROR; - nfs41_UpcallDestroy(entry); goto out; } #pragma warning( push ) @@ -323,8 +322,10 @@ NTSTATUS nfs41_QueryDirectory( } IoFreeMdl(entry->u.QueryFile.mdl); entry->u.QueryFile.mdl = NULL; - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&readdir.tops); diff --git a/sys/nfs41sys_ea.c b/sys/nfs41sys_ea.c index 719c41e..f8eac28 100644 --- a/sys/nfs41sys_ea.c +++ b/sys/nfs41sys_ea.c @@ -324,7 +324,7 @@ NTSTATUS nfs41_SetEaInformation( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_EAS_NOT_SUPPORTED; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; __notnull PFILE_FULL_EA_INFORMATION eainfo = (PFILE_FULL_EA_INFORMATION)RxContext->Info.Buffer; nfs3_attrs *attrs = NULL; @@ -371,8 +371,6 @@ NTSTATUS nfs41_SetEaInformation( "(eainfo=0x%p, buflen=%lu, &(error_offset=%d))\n", (long)status, (void *)eainfo, buflen, (int)error_offset); - nfs41_UpcallDestroy(entry); - entry = NULL; goto out; } } @@ -400,8 +398,10 @@ NTSTATUS nfs41_SetEaInformation( nfs41_fcb->changeattr = entry->ChangeTime; nfs41_fcb->mode = entry->u.SetEa.mode; } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&setexattr.tops); @@ -463,7 +463,7 @@ NTSTATUS QueryCygwinSymlink( __notnull PNFS41_NETROOT_EXTENSION NetRootContext = NFS41GetNetRootExtension(SrvOpen->pVNetRoot->pNetRoot); __notnull PNFS41_FOBX Fobx = NFS41GetFobxExtension(RxContext->pFobx); - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; UNICODE_STRING TargetName; const USHORT HeaderLen = FIELD_OFFSET(FILE_FULL_EA_INFORMATION, EaName) + query->EaNameLength + 1; @@ -506,8 +506,10 @@ NTSTATUS QueryCygwinSymlink( RxContext->InformationToReturn = (ULONG_PTR)HeaderLen + entry->u.Symlink.target->Length; } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } return status; } @@ -602,7 +604,7 @@ NTSTATUS nfs41_QueryEaInformation( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_EAS_NOT_SUPPORTED; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; PFILE_GET_EA_INFORMATION query = (PFILE_GET_EA_INFORMATION) RxContext->CurrentIrpSp->Parameters.QueryEa.EaList; ULONG buflen = RxContext->CurrentIrpSp->Parameters.QueryEa.Length; @@ -673,8 +675,10 @@ NTSTATUS nfs41_QueryEaInformation( } else { status = map_setea_error(entry->status); } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&getexattr.tops); diff --git a/sys/nfs41sys_fileinfo.c b/sys/nfs41sys_fileinfo.c index 905096e..36407f6 100644 --- a/sys/nfs41sys_fileinfo.c +++ b/sys/nfs41sys_fileinfo.c @@ -186,7 +186,7 @@ NTSTATUS nfs41_QueryFileInformation( { NTSTATUS status = STATUS_OBJECT_NAME_NOT_FOUND; FILE_INFORMATION_CLASS InfoClass = RxContext->Info.FileInformationClass; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; __notnull PNFS41_V_NET_ROOT_EXTENSION pVNetRootContext = NFS41GetVNetRootExtension(SrvOpen->pVNetRoot); @@ -487,8 +487,10 @@ NTSTATUS nfs41_QueryFileInformation( print_error("status(0x%lx) = map_queryfile_error(entry->status(0x%lx));\n", (long)status, (long)entry->status); } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&getattr.tops); @@ -634,7 +636,7 @@ NTSTATUS nfs41_SetFileInformation( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_INVALID_PARAMETER; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; FILE_INFORMATION_CLASS InfoClass = RxContext->Info.FileInformationClass; FILE_RENAME_INFORMATION rinfo; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -757,8 +759,10 @@ NTSTATUS nfs41_SetFileInformation( nfs41_update_fcb_list(RxContext->pFcb, entry->ChangeTime); nfs41_fcb->changeattr = entry->ChangeTime; } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&setattr.tops); diff --git a/sys/nfs41sys_fsctl.c b/sys/nfs41sys_fsctl.c index 0803229..fd84e79 100644 --- a/sys/nfs41sys_fsctl.c +++ b/sys/nfs41sys_fsctl.c @@ -174,7 +174,7 @@ NTSTATUS nfs41_QueryAllocatedRanges( if (entry->u.QueryAllocatedRanges.BufferMdl == NULL) { status = STATUS_INTERNAL_ERROR; DbgP("nfs41_QueryAllocatedRanges: IoAllocateMdl() failed\n"); - goto out_free; + goto out; } #pragma warning( push ) @@ -231,7 +231,7 @@ NTSTATUS nfs41_QueryAllocatedRanges( RxContext->IoStatusBlock.Information = 0; } -out_free: +out: if (entry) { if (entry->u.QueryAllocatedRanges.BufferMdl) { MmUnlockPages(entry->u.QueryAllocatedRanges.BufferMdl); @@ -242,7 +242,6 @@ out_free: nfs41_UpcallDestroy(entry); } -out: DbgEx(); return status; } @@ -535,11 +534,11 @@ NTSTATUS nfs41_SetZeroData( RxContext->IoStatusBlock.Information = 0; } +out: if (entry) { nfs41_UpcallDestroy(entry); } -out: DbgEx(); return status; } @@ -766,11 +765,11 @@ NTSTATUS nfs41_DuplicateData( RxContext->IoStatusBlock.Information = 0; } +out: if (entry) { nfs41_UpcallDestroy(entry); } -out: if (srcfo) { ObDereferenceObject(srcfo); } diff --git a/sys/nfs41sys_lock.c b/sys/nfs41sys_lock.c index 4f71120..803c4c1 100644 --- a/sys/nfs41sys_lock.c +++ b/sys/nfs41sys_lock.c @@ -261,7 +261,7 @@ NTSTATUS nfs41_Lock( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_SUCCESS; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; PLOWIO_CONTEXT LowIoContext = &RxContext->LowIoContext; __notnull PNFS41_FOBX nfs41_fobx = NFS41GetFobxExtension(RxContext->pFobx); __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -330,8 +330,10 @@ retry_upcall: status = map_lock_errors(entry->status); RxContext->CurrentIrp->IoStatus.Status = status; - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&lock.tops); @@ -382,7 +384,7 @@ NTSTATUS nfs41_Unlock( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_SUCCESS; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; PLOWIO_CONTEXT LowIoContext = &RxContext->LowIoContext; __notnull PNFS41_FOBX nfs41_fobx = NFS41GetFobxExtension(RxContext->pFobx); __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -448,8 +450,10 @@ NTSTATUS nfs41_Unlock( status = map_lock_errors(entry->status); RxContext->CurrentIrp->IoStatus.Status = status; - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&unlock.tops); diff --git a/sys/nfs41sys_mount.c b/sys/nfs41sys_mount.c index 8f4fa40..5c92f99 100644 --- a/sys/nfs41sys_mount.c +++ b/sys/nfs41sys_mount.c @@ -182,7 +182,7 @@ NTSTATUS nfs41_unmount( DWORD timeout) { NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; #ifdef DEBUG_MOUNT DbgEn(); @@ -197,8 +197,10 @@ NTSTATUS nfs41_unmount( SeDeleteClientSecurity(entry->psec_ctx); } entry->psec_ctx = NULL; - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS print_op_stat("lookup", &lookup, 1); print_op_stat("open", &open, 1); @@ -252,7 +254,7 @@ NTSTATUS nfs41_mount( PFILE_FS_ATTRIBUTE_INFORMATION FsAttrs) { NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; #ifdef DEBUG_MOUNT DbgEn(); @@ -290,8 +292,10 @@ NTSTATUS nfs41_mount( status = map_mount_errors(entry->status); if (status == STATUS_SUCCESS) *version = entry->version; - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef DEBUG_MOUNT DbgEx(); #endif diff --git a/sys/nfs41sys_openclose.c b/sys/nfs41sys_openclose.c index 972a2c7..6b030b0 100644 --- a/sys/nfs41sys_openclose.c +++ b/sys/nfs41sys_openclose.c @@ -703,8 +703,6 @@ retry_on_link: FALSE, FALSE, NULL); if (entry->u.Open.EaMdl == NULL) { status = STATUS_INTERNAL_ERROR; - nfs41_UpcallDestroy(entry); - entry = NULL; goto out; } #pragma warning( push ) @@ -771,7 +769,7 @@ retry_on_link: DbgP("nfs41_Create: Unknown symlinktarget_type=%d\n", (int)entry->u.Open.symlinktarget_type); status = STATUS_INVALID_PARAMETER; - goto out_free; + goto out; } AbsPath.Length += entry->u.Open.symlink.Length; AbsPath.MaximumLength = AbsPath.Length + sizeof(UNICODE_NULL); @@ -779,7 +777,7 @@ retry_on_link: AbsPath.MaximumLength, NFS41_MM_POOLTAG); if (AbsPath.Buffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; - goto out_free; + goto out; } buf = (PCHAR)AbsPath.Buffer; @@ -825,7 +823,7 @@ retry_on_link: } status = STATUS_REPARSE; } - goto out_free; + goto out; } status = map_open_errors(entry->status, @@ -834,7 +832,7 @@ retry_on_link: #ifdef DEBUG_OPEN print_open_error(1, status); #endif - goto out_free; + goto out; } if (!RxIsFcbAcquiredExclusive(Fcb)) { @@ -845,7 +843,7 @@ retry_on_link: RxContext->pFobx = RxCreateNetFobx(RxContext, SrvOpen); if (RxContext->pFobx == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; - goto out_free; + goto out; } #ifdef DEBUG_OPEN DbgP("nfs41_Create: created FOBX 0x%p\n", RxContext->pFobx); @@ -855,7 +853,7 @@ retry_on_link: if (nfs41_fobx->sec_ctx.ClientToken == NULL) { status = nfs41_get_sec_ctx(SecurityImpersonation, &nfs41_fobx->sec_ctx); if (status) - goto out_free; + goto out; } // we get attributes only for data access and file (not directories) @@ -1033,7 +1031,7 @@ retry_on_link: oentry = nfs41_allocate_nfs41_fcb_list_entry(); if (oentry == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; - goto out_free; + goto out; } oentry->fcb = RxContext->pFcb; oentry->nfs41_fobx = nfs41_fobx; @@ -1056,10 +1054,11 @@ retry_on_link: RxContext->Create.ReturnedCreateInformation; status = RxContext->CurrentIrp->IoStatus.Status = STATUS_SUCCESS; -out_free: - if (entry) - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } + #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); if ((params->DesiredAccess & FILE_READ_DATA) || @@ -1129,7 +1128,7 @@ NTSTATUS nfs41_CloseSrvOpen( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; __notnull PNFS41_V_NET_ROOT_EXTENSION pVNetRootContext = NFS41GetVNetRootExtension(SrvOpen->pVNetRoot); @@ -1176,8 +1175,10 @@ NTSTATUS nfs41_CloseSrvOpen( /* map windows ERRORs to NTSTATUS */ status = map_close_errors(entry->status); - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&close.tops); diff --git a/sys/nfs41sys_readwrite.c b/sys/nfs41sys_readwrite.c index 2cfcf7c..cc718df 100644 --- a/sys/nfs41sys_readwrite.c +++ b/sys/nfs41sys_readwrite.c @@ -230,7 +230,7 @@ NTSTATUS nfs41_Read( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; BOOLEAN async = FALSE; PLOWIO_CONTEXT LowIoContext = &RxContext->LowIoContext; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -282,6 +282,7 @@ NTSTATUS nfs41_Read( DbgP("This is asynchronous read, returning control back to the user\n"); #endif status = STATUS_PENDING; + entry = NULL; /* |entry| will be freed once async call is done */ goto out; } @@ -308,8 +309,10 @@ NTSTATUS nfs41_Read( RxContext->CurrentIrp->IoStatus.Status = status; RxContext->IoStatusBlock.Information = 0; } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&read.tops); @@ -350,7 +353,7 @@ NTSTATUS nfs41_Write( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; BOOLEAN async = FALSE; PLOWIO_CONTEXT LowIoContext = &RxContext->LowIoContext; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -404,6 +407,7 @@ NTSTATUS nfs41_Write( DbgP("This is asynchronous write, returning control back to the user\n"); #endif status = STATUS_PENDING; + entry = NULL; /* |entry| will be freed once async call is done */ goto out; } @@ -437,8 +441,10 @@ NTSTATUS nfs41_Write( RxContext->CurrentIrp->IoStatus.Status = status; RxContext->IoStatusBlock.Information = 0; } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&write.tops); diff --git a/sys/nfs41sys_symlink.c b/sys/nfs41sys_symlink.c index d92281a..6db82de 100644 --- a/sys/nfs41sys_symlink.c +++ b/sys/nfs41sys_symlink.c @@ -417,8 +417,9 @@ NTSTATUS nfs41_SetSymlinkReparsePoint( status = map_symlink_errors(entry->status); out: - if (entry) + if (entry) { nfs41_UpcallDestroy(entry); + } if (prefixed_targetname) RxFreePool(prefixed_targetname); @@ -896,8 +897,9 @@ NTSTATUS nfs41_GetSymlinkReparsePoint( } out: - if (entry) + if (entry) { nfs41_UpcallDestroy(entry); + } if (targetname_buffer) RxFreePool(targetname_buffer); diff --git a/sys/nfs41sys_volinfo.c b/sys/nfs41sys_volinfo.c index 7d58020..af1cfa3 100644 --- a/sys/nfs41sys_volinfo.c +++ b/sys/nfs41sys_volinfo.c @@ -1,6 +1,6 @@ /* NFSv4.1 client for Windows * Copyright (C) 2012 The Regents of the University of Michigan - * Copyright (C) 2023-2024 Roland Mainz <roland.mainz@nrubsig.org> + * Copyright (C) 2023-2025 Roland Mainz <roland.mainz@nrubsig.org> * * Olga Kornievskaia <aglo@umich.edu> * Casey Bodley <cbodley@umich.edu> @@ -144,7 +144,7 @@ NTSTATUS nfs41_QueryVolumeInformation( IN OUT PRX_CONTEXT RxContext) { NTSTATUS status = STATUS_INVALID_PARAMETER; - nfs41_updowncall_entry *entry; + nfs41_updowncall_entry *entry = NULL; ULONG RemainingLength = RxContext->Info.LengthRemaining, SizeUsed; FS_INFORMATION_CLASS InfoClass = RxContext->Info.FsInformationClass; __notnull PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; @@ -280,8 +280,10 @@ NTSTATUS nfs41_QueryVolumeInformation( } else { status = map_volume_errors(entry->status); } - nfs41_UpcallDestroy(entry); out: + if (entry) { + nfs41_UpcallDestroy(entry); + } #ifdef ENABLE_TIMINGS t2 = KeQueryPerformanceCounter(NULL); InterlockedIncrement(&volume.tops); -- 2.45.1

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at