aboutsummaryrefslogtreecommitdiffstats
path: root/fs/smbfs/request.c
diff options
context:
space:
mode:
authorVasily Averin <vvs@sw.ru>2007-03-16 13:38:24 -0800
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-03-16 19:25:05 -0700
commit1174cf730179d8f029b9e93cb9a4d5bfb08d1202 (patch)
tree0d02da2b8a543ff014f44e87c78fd9e837861113 /fs/smbfs/request.c
parent833f80627d10d370ea91b96de254850361c3a2fc (diff)
downloadkernel_samsung_crespo-1174cf730179d8f029b9e93cb9a4d5bfb08d1202.zip
kernel_samsung_crespo-1174cf730179d8f029b9e93cb9a4d5bfb08d1202.tar.gz
kernel_samsung_crespo-1174cf730179d8f029b9e93cb9a4d5bfb08d1202.tar.bz2
[PATCH] smbfs: double free memory corruption
smbfs allocates rq_trans2buffer to handle server's multi transaction2 response messages. As struct smb_request may be reused, rq_trans2buffer is freed before each new request. However if last servers's response is not multi but single trans2 message then new rq_trans2buffer is not allocated but last smb_rput still tries to free it again. To prevent this issue rq_trans2buffer pointer should be set to NULL after kfree. Signed-off-by: Vasily Averin <vvs@sw.ru> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/smbfs/request.c')
-rw-r--r--fs/smbfs/request.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c
index 42261db..723f7c6 100644
--- a/fs/smbfs/request.c
+++ b/fs/smbfs/request.c
@@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_request *req)
req->rq_errno = 0;
req->rq_fragment = 0;
kfree(req->rq_trans2buffer);
+ req->rq_trans2buffer = NULL;
return 0;
}