Commit:     1174cf730179d8f029b9e93cb9a4d5bfb08d1202
Parent:     833f80627d10d370ea91b96de254850361c3a2fc
Author:     Vasily Averin <[EMAIL PROTECTED]>
AuthorDate: Fri Mar 16 13:38:24 2007 -0800
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Fri Mar 16 19:25:05 2007 -0700

    [PATCH] smbfs: double free memory corruption
    smbfs allocates rq_trans2buffer to handle server's multi transaction2 
    messages.  As struct smb_request may be reused, rq_trans2buffer is freed
    before each new request.  However if last servers's response is not multi 
    single trans2 message then new rq_trans2buffer is not allocated but last
    smb_rput still tries to free it again.
    To prevent this issue rq_trans2buffer pointer should be set to NULL after
    Signed-off-by: Vasily Averin <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
 fs/smbfs/request.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c
index 42261db..723f7c6 100644
--- a/fs/smbfs/request.c
+++ b/fs/smbfs/request.c
@@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_request *req)
        req->rq_errno = 0;
        req->rq_fragment = 0;
+       req->rq_trans2buffer = NULL;
        return 0;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to