Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   Tomas Bortoli <tomasbortoli@gmail.com>
To:     ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net
Cc:     davem@davemloft.net, v9fs-developer@lists.sourceforge.net,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzkaller@googlegroups.com, Tomas Bortoli <tomasbortoli@gmail.com>
Subject: [V9fs-developer] [PATCH] version pointer uninitialized
Date:   Tue, 10 Jul 2018 00:29:43 +0200
Message-Id: <20180709222943.19503-1-tomasbortoli@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

The p9_client_version() does not initialize the version
pointer. If the call to p9pdu_readf() returns an error and version has not
been allocated in p9pdu_readf(), then the program will jump to the "error"
label and will try to free the version pointer. If version is not
initialized, free() will be called with uninitialized, garbage data and
will provoke a crash.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
---
 net/9p/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/9p/client.c b/net/9p/client.c
index 18c5271910dc..40f7c47f2f74 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -957,7 +957,7 @@ static int p9_client_version(struct p9_client *c)
 {
 	int err = 0;
 	struct p9_req_t *req;
-	char *version;
+	char *version = NULL;
 	int msize;
 
 	p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
-- 
2.11.0