diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-05-26 13:57:38 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-06-02 13:34:47 +0000 |
| commit | a9ff49e0288b8844ddc6fb2a278ec652908d30cc (patch) | |
| tree | 64df3515d863dc74d6c10b838be2a84f2ce1b7b1 | |
| parent | 4814dbd3c0e6fc02014f145bd54b3b854162e4e4 (diff) | |
| download | src-a9ff49e0288b8844ddc6fb2a278ec652908d30cc.tar.gz src-a9ff49e0288b8844ddc6fb2a278ec652908d30cc.zip | |
netsmb: Avoid a read-after-free in smb_t2_request_int()
Defer freeing the request structure until we've decided whether the
request should be retried.
PR: 255881
MFC after: 1 week
(cherry picked from commit 771e95d2e2ee1b60539f1273c62837b48249590a)
| -rw-r--r-- | sys/netsmb/smb_rq.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index 57bf053034ad..c5d5d0f85742 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -737,13 +737,13 @@ smb_t2_request_int(struct smb_t2rq *t2p) bad: smb_iod_removerq(rqp); freerq: - smb_rq_done(rqp); if (error) { if (rqp->sr_flags & SMBR_RESTART) t2p->t2_flags |= SMBT2_RESTART; md_done(&t2p->t2_rparam); md_done(&t2p->t2_rdata); } + smb_rq_done(rqp); return error; } |