cwfs: fix use after free bug (ai->cuid), remove waitedfor abort()

3 files changed, 2 insertions, 12 deletions

diff --git a/sys/src/cmd/cwfs/auth.c b/sys/src/cmd/cwfs/auth.c
index 5ca644ed3..e3d51be7e 100644
--- a/sys/src/cmd/cwfs/auth.c
+++ b/sys/src/cmd/cwfs/auth.c
@@ -143,12 +143,13 @@ authread(File *file, uchar *data, int count)
 		if((ai = auth_getinfo(rpc)) == nil)
 			goto Phase;
 		file->uid = strtouid(ai->cuid);
-		auth_freeAI(ai);
 		if(file->uid < 0){
 			snprint(chan->err, sizeof(chan->err),
 				"unknown user '%s'", ai->cuid);
+			auth_freeAI(ai);
 			return -1;
 		}
+		auth_freeAI(ai);
 		return 0;
 	case ARok:
 		if(count < rpc->narg){
diff --git a/sys/src/cmd/cwfs/portdat.h b/sys/src/cmd/cwfs/portdat.h
index 3b17db295..ffa510230 100644
--- a/sys/src/cmd/cwfs/portdat.h
+++ b/sys/src/cmd/cwfs/portdat.h
@@ -164,7 +164,6 @@ struct	Queue
 	Rendez	empty;
 	Rendez	full;
 
-	int	waitedfor;	/* flag */
 	char*	name;		/* for debugging */
 
 	int	size;		/* size of queue */
diff --git a/sys/src/cmd/cwfs/sub.c b/sys/src/cmd/cwfs/sub.c
index 619c7d22d..f79eca478 100644
--- a/sys/src/cmd/cwfs/sub.c
+++ b/sys/src/cmd/cwfs/sub.c
@@ -928,7 +928,6 @@ fs_recv(Queue *q, int)
 	if(q == nil)
 		panic("recv null q");
 	qlock(q);
-	q->waitedfor = 1;
 	while((c = q->count) <= 0)
 		rsleep(&q->empty);
 	i = q->loc;
@@ -950,15 +949,6 @@ fs_send(Queue *q, void *a)
 
 	if(q == nil)
 		panic("send null q");
-	if(!q->waitedfor) {
-		for (i = 0; i < 5 && !q->waitedfor; i++)
-			sleep(1000);
-		if(!q->waitedfor) {
-			/* likely a bug; don't wait forever */
-			fprint(2, "no readers yet for %s q\n", q->name);
-			abort();
-		}
-	}
 	qlock(q);
 	while((c = q->count) >= q->size)
 		rsleep(&q->full);