don't call rpc_free_pdu() after rpc_queue_pdu() failure

rpc_queue_pdu() already calls rpc_free_pdu() in its failure code path. Doing that again would constitute a double free bug.
sahlberg · Mar 8, 2017 · 43fecee · 43fecee
1 parent bc4f88e
commit 43fecee
Show file tree

Hide file tree

Showing 9 changed files with 0 additions and 85 deletions.
diff --git a/lib/libnfs.c b/lib/libnfs.c
@@ -5692,7 +5692,6 @@ int rpc_null_async(struct rpc_context *rpc, int program, int version, rpc_cb cb,
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Out of memory. Failed to queue pdu for NULL call");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 

diff --git a/mount/mount.c b/mount/mount.c
@@ -39,7 +39,6 @@ int rpc_mount3_null_async(struct rpc_context *rpc, rpc_cb cb, void *private_data
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Out of memory. Failed to queue pdu for mount/null call");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -69,7 +68,6 @@ int rpc_mount3_mnt_async(struct rpc_context *rpc, rpc_cb cb, char *export, void
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Out of memory. Failed to queue pdu for mount/mnt call");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -93,7 +91,6 @@ int rpc_mount3_dump_async(struct rpc_context *rpc, rpc_cb cb, void *private_data
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue mount/dump pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -123,7 +120,6 @@ int rpc_mount3_umnt_async(struct rpc_context *rpc, rpc_cb cb, char *export, void
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue mount/umnt pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -147,7 +143,6 @@ int rpc_mount3_umntall_async(struct rpc_context *rpc, rpc_cb cb, void *private_d
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue mount/umntall pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -171,7 +166,6 @@ int rpc_mount3_export_async(struct rpc_context *rpc, rpc_cb cb, void *private_da
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue mount/export pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -235,7 +229,6 @@ int rpc_mount1_null_async(struct rpc_context *rpc, rpc_cb cb, void *private_data
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Out of memory. Failed to queue pdu for MOUNT1/NULL call");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -260,7 +253,6 @@ int rpc_mount1_mnt_async(struct rpc_context *rpc, rpc_cb cb, char *export, void
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Out of memory. Failed to queue pdu for MOUNT1/MNT call");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -279,7 +271,6 @@ int rpc_mount1_dump_async(struct rpc_context *rpc, rpc_cb cb, void *private_data
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue MOUNT1/DUMP pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -304,7 +295,6 @@ int rpc_mount1_umnt_async(struct rpc_context *rpc, rpc_cb cb, char *export, void
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue MOUNT1/UMNT pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -323,7 +313,6 @@ int rpc_mount1_umntall_async(struct rpc_context *rpc, rpc_cb cb, void *private_d
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue MOUNT1/UMNTALL pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}
 
@@ -342,7 +331,6 @@ int rpc_mount1_export_async(struct rpc_context *rpc, rpc_cb cb, void *private_da
 
 	if (rpc_queue_pdu(rpc, pdu) != 0) {
 		rpc_set_error(rpc, "Failed to queue MOUNT1/EXPORT pdu");
-		rpc_free_pdu(rpc, pdu);
 		return -1;
 	}