[PATCH] smbfs: double free memory corruption

smbfs allocates rq_trans2buffer to handle server's multi transaction2 response messages. As struct smb_request may be reused, rq_trans2buffer is freed before each new request. However if last servers's response is not multi but single trans2 message then new rq_trans2buffer is not allocated but last smb_rput still tries to free it again. To prevent this issue rq_trans2buffer pointer should be set to NULL after kfree. Signed-off-by: N Vasily Averin <vvs@sw.ru> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

[PATCH] smbfs: double free memory corruption
smbfs allocates rq_trans2buffer to handle server's multi transaction2 response messages. As struct smb_request may be reused, rq_trans2buffer is freed before each new request. However if last servers's response is not multi but single trans2 message then new rq_trans2buffer is not allocated but last smb_rput still tries to free it again. To prevent this issue rq_trans2buffer pointer should be set to NULL after kfree. Signed-off-by: N Vasily Averin <vvs@sw.ru> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
1174cf73 · Vasily Averin · Linus Torvalds · 833f8062 · 1174cf73
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

fs/smbfs/request.c fs/smbfs/request.c +1 -0

未找到文件。
--- a/fs/smbfs/request.c
+++ b/fs/smbfs/request.c
@@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_request *req)
 	req->rq_errno = 0;
 	req->rq_fragment = 0;
 	kfree(req->rq_trans2buffer);
+	req->rq_trans2buffer = NULL;

 	return 0;
 }