Skip to content

Commit

Permalink
[PATCH] smbfs: double free memory corruption
Browse files Browse the repository at this point in the history 
smbfs allocates rq_trans2buffer to handle server's multi transaction2 response
messages.  As struct smb_request may be reused, rq_trans2buffer is freed
before each new request.  However if last servers's response is not multi but
single trans2 message then new rq_trans2buffer is not allocated but last
smb_rput still tries to free it again.

To prevent this issue rq_trans2buffer pointer should be set to NULL after
kfree.

Signed-off-by: Vasily Averin <vvs@sw.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  • Loading branch information
Vasily Averin authored and Linus Torvalds committed Mar 17, 2007
1 parent 833f806 commit 1174cf7
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions fs/smbfs/request.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_request *req)
req->rq_errno = 0;
req->rq_fragment = 0;
kfree(req->rq_trans2buffer);
req->rq_trans2buffer = NULL;

return 0;
}
Expand Down

0 comments on commit 1174cf7

Please sign in to comment.