From 20f04f08aa5032f1e958ba38654d9ed833b6b636 Mon Sep 17 00:00:00 2001
From: Richard Yao <ryao@gentoo.org>
Date: Tue, 8 Oct 2013 17:59:42 -0400
Subject: [PATCH] Fix incorrect usage of strdup() in zfs_unmount_snap()

Modifying the length of a string returned by strdup() is incorrect
because strfree() is allowed to use strlen() to determine which slab
cache was used to do the allocation.

Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Issue #1775
---
 module/zfs/zfs_ioctl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/module/zfs/zfs_ioctl.c b/module/zfs/zfs_ioctl.c
index be782ba80..b12205e68 100644
--- a/module/zfs/zfs_ioctl.c
+++ b/module/zfs/zfs_ioctl.c
@@ -3365,17 +3365,17 @@ zfs_unmount_snap(const char *snapname)
 	if ((ptr = strchr(snapname, '@')) == NULL)
 		return;
 
-	dsname = strdup(snapname);
-	dsname[ptr - snapname] = '\0';
-	snapname = strdup(ptr + 1);
-	fullname = kmem_asprintf("%s@%s", dsname, snapname);
+	dsname = kmem_alloc(ptr - snapname + 1, KM_SLEEP);
+	strlcpy(dsname, snapname, ptr - snapname + 1);
+	fullname = strdup(snapname);
+
 	if (zfs_sb_hold(dsname, FTAG, &zsb, B_FALSE) == 0) {
 		ASSERT(!dsl_pool_config_held(dmu_objset_pool(zsb->z_os)));
 		(void) zfsctl_unmount_snapshot(zsb, fullname, MNT_FORCE);
 		zfs_sb_rele(zsb, FTAG);
 	}
 
-	strfree(dsname);
+	kmem_free(dsname, ptr - snapname + 1);
 	strfree(fullname);
 
 	return;
-- 
2.40.0