kernel-aes67/fs/smbfs
Vasily Averin 1174cf7301 [PATCH] smbfs: double free memory corruption
smbfs allocates rq_trans2buffer to handle server's multi transaction2 response
messages.  As struct smb_request may be reused, rq_trans2buffer is freed
before each new request.  However if last servers's response is not multi but
single trans2 message then new rq_trans2buffer is not allocated but last
smb_rput still tries to free it again.

To prevent this issue rq_trans2buffer pointer should be set to NULL after
kfree.

Signed-off-by: Vasily Averin <vvs@sw.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-16 19:25:05 -07:00
..
cache.c [PATCH] struct path: convert smbfs 2006-12-08 08:28:49 -08:00
dir.c [PATCH] mark struct inode_operations const 3 2007-02-12 09:48:46 -08:00
file.c [PATCH] mark struct inode_operations const 3 2007-02-12 09:48:46 -08:00
getopt.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
getopt.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
inode.c [PATCH] Mark struct super_operations const 2007-02-12 09:48:47 -08:00
ioctl.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Makefile [PATCH] smbfs: remove kmalloc wrapper 2006-01-14 18:27:13 -08:00
proc.c [PATCH] smbfs: Make conn_pid a struct pid 2006-12-13 09:05:53 -08:00
proto.h [PATCH] mark struct inode_operations const 3 2007-02-12 09:48:46 -08:00
request.c [PATCH] smbfs: double free memory corruption 2007-03-16 19:25:05 -07:00
request.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
smb_debug.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
smbiod.c [PATCH] smbfs: Make conn_pid a struct pid 2006-12-13 09:05:53 -08:00
sock.c [PATCH] struct path: convert smbfs 2006-12-08 08:28:49 -08:00
symlink.c [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00