MFS 1.55.2.11: Correct a reference counting bug in readv(2).

3 files changed, 10 insertions, 7 deletions

diff --git a/UPDATING b/UPDATING
index ca14fc335eec..76b2b5cbfe45 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,9 @@ minimal number of processes, if possible, for that patch.  For those
 updates that don't have an advisory, or to be safe, you can do a full
 build and install as described in the COMMON ITEMS section.
 
+20031002:	p41	FreeBSD-SA-03:16.filedesc
+	Correct a reference counting bug in readv(2).
+
 20030924:	p40	FreeBSD-SA-03:14.arp
 	Updated fix for arplookup bug.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 25b4f0a91851..ec664c24c70c 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
 
 TYPE="FreeBSD"
 REVISION="4.3"
-BRANCH="RELEASE-p40"
+BRANCH="RELEASE-p41"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c
index bcea567e51e0..bab39b55da35 100644
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@@ -231,7 +231,7 @@ readv(p, uap)
 	register struct filedesc *fdp = p->p_fd;
 	struct uio auio;
 	register struct iovec *iov;
-	struct iovec *needfree;
+	struct iovec *needfree = NULL;
 	struct iovec aiov[UIO_SMALLIOV];
 	long i, cnt, error = 0;
 	u_int iovlen;
@@ -245,14 +245,14 @@ readv(p, uap)
 	/* note: can't use iovlen until iovcnt is validated */
 	iovlen = uap->iovcnt * sizeof (struct iovec);
 	if (uap->iovcnt > UIO_SMALLIOV) {
-		if (uap->iovcnt > UIO_MAXIOV)
-			return (EINVAL);
+		if (uap->iovcnt > UIO_MAXIOV) {
+			error = EINVAL;
+			goto done;
+		}
 		MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
 		needfree = iov;
-	} else {
+	} else
 		iov = aiov;
-		needfree = NULL;
-	}
 	auio.uio_iov = iov;
 	auio.uio_iovcnt = uap->iovcnt;
 	auio.uio_rw = UIO_READ;