Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)

Due to type confusion, when an nfsacl verison 2 'ACCESS' request
finishes and tries to clean up, it calls fh_put on entiredly the
wrong thing and this can cause an oops.

Signed-off-by: Adrian Bunk <bunk@stusta.de>

diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
index fc95c4df66934e4fe420aada6f1feac601ee8f92..c318b6fc8187eefe12ae5034e31b9c78023fb83f 100644 (file)
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, u32 *p,
        return 1;
 }
 
-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, u32 *p,
-               struct nfsd_fhandle *resp)
+static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, u32 *p,
+               struct nfsd_attrstat *resp)
 {
        fh_put(&resp->fh);
        return 1;
 }
 
+static int nfsaclsvc_release_access(struct svc_rqst *rqstp, u32 *p,
+               struct nfsd3_accessres *resp)
+{
+       fh_put(&resp->fh);
+       return 1;
+}
+
 #define nfsaclsvc_decode_voidargs      NULL
 #define nfsaclsvc_encode_voidres       NULL
 #define nfsaclsvc_release_void         NULL
@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
 static struct svc_procedure            nfsd_acl_procedures2[] = {
   PROC(null,   void,           void,           void,     RC_NOCACHE, ST),
   PROC(getacl, getacl,         getacl,         getacl,   RC_NOCACHE, ST+1+2*(1+ACL)),
-  PROC(setacl, setacl,         attrstat,       fhandle,  RC_NOCACHE, ST+AT),
-  PROC(getattr, fhandle,       attrstat,       fhandle,  RC_NOCACHE, ST+AT),
-  PROC(access, access,         access,         fhandle,  RC_NOCACHE, ST+AT+1),
+  PROC(setacl, setacl,         attrstat,       attrstat, RC_NOCACHE, ST+AT),
+  PROC(getattr, fhandle,       attrstat,       attrstat, RC_NOCACHE, ST+AT),
+  PROC(access, access,         access,         access,   RC_NOCACHE, ST+AT+1),
 };
 
 struct svc_version     nfsd_acl_version2 = {