From 1174cf730179d8f029b9e93cb9a4d5bfb08d1202 Mon Sep 17 00:00:00 2001 From: Vasily Averin Date: Fri, 16 Mar 2007 13:38:24 -0800 Subject: [PATCH] [PATCH] smbfs: double free memory corruption smbfs allocates rq_trans2buffer to handle server's multi transaction2 response messages. As struct smb_request may be reused, rq_trans2buffer is freed before each new request. However if last servers's response is not multi but single trans2 message then new rq_trans2buffer is not allocated but last smb_rput still tries to free it again. To prevent this issue rq_trans2buffer pointer should be set to NULL after kfree. Signed-off-by: Vasily Averin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/smbfs/request.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c index 42261dbdf60f..723f7c667661 100644 --- a/fs/smbfs/request.c +++ b/fs/smbfs/request.c @@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_request *req) req->rq_errno = 0; req->rq_fragment = 0; kfree(req->rq_trans2buffer); + req->rq_trans2buffer = NULL; return 0; }