git: 771e95d2e2ee - main - netsmb: Avoid a read-after-free in smb_t2_request_int()
Mark Johnston
markj at FreeBSD.org
Wed May 26 14:49:47 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=771e95d2e2ee1b60539f1273c62837b48249590a
commit 771e95d2e2ee1b60539f1273c62837b48249590a
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-05-26 13:57:38 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-05-26 14:45:40 +0000
netsmb: Avoid a read-after-free in smb_t2_request_int()
Defer freeing the request structure until we've decided whether the
request should be retried.
PR: 255881
MFC after: 1 week
---
sys/netsmb/smb_rq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c
index 57bf053034ad..c5d5d0f85742 100644
--- a/sys/netsmb/smb_rq.c
+++ b/sys/netsmb/smb_rq.c
@@ -737,13 +737,13 @@ smb_t2_request_int(struct smb_t2rq *t2p)
bad:
smb_iod_removerq(rqp);
freerq:
- smb_rq_done(rqp);
if (error) {
if (rqp->sr_flags & SMBR_RESTART)
t2p->t2_flags |= SMBT2_RESTART;
md_done(&t2p->t2_rparam);
md_done(&t2p->t2_rdata);
}
+ smb_rq_done(rqp);
return error;
}
More information about the dev-commits-src-main
mailing list