* [patch 2.6.21-rc3] [smbfs] "double free" memory corruption in smbfs
@ 2007-03-14 12:23 Vasily Averin
0 siblings, 0 replies; only message in thread
From: Vasily Averin @ 2007-03-14 12:23 UTC (permalink / raw)
To: Andrew Morton, Linux Kernel Mailing List, linux-fsdevel,
Urban Widmark, devel
smbfs allocates rq_trans2buffer to handle server's multi transaction2 response
messages. As struct smb_request may be reused, rq_trans2buffer is freed before
each new request. However if last servers's response is not multi but single
trans2 message then new rq_trans2buffer is not allocated but last smb_rput still
tries to free it again.
To prevent this issue rq_trans2buffer pointer should be set to NULL after kfree.
Signed-off-by: Vasily Averin <vvs@sw.ru>
--- 2.6.21-rc3/fs/smbfs/request.c 2007-03-13 14:22:53.000000000 +0300
+++ 2.6.21-rc3/fs/smbfs/request.c 2007-03-14 11:44:18.000000000 +0300
@@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_
req->rq_errno = 0;
req->rq_fragment = 0;
kfree(req->rq_trans2buffer);
+ req->rq_trans2buffer = NULL;
return 0;
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-03-14 12:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-14 12:23 [patch 2.6.21-rc3] [smbfs] "double free" memory corruption in smbfs Vasily Averin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox