diff options
| author | Henrique Carvalho <henrique.carvalho@suse.com> | 2026-06-18 17:34:38 -0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-18 18:12:23 -0500 |
| commit | 9647492b5e41954be59d5157eddbcd4cdc1656f7 (patch) | |
| tree | c5739b6d08c92b6707b9913f24956152947b30f1 /fs | |
| parent | 145f820dcbb2cced374f2532f8a61a44dce4a615 (diff) | |
| download | ath-9647492b5e41954be59d5157eddbcd4cdc1656f7.tar.gz | |
smb: client: fix query directory replay double-free
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_query_directory_init() fails before the next send,
cleanup retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/smb/client/smb2pdu.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 7d4b37b776c5e..85642ea992d57 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -5720,6 +5720,8 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, replay_again: /* reinitialize for possible replay */ + resp_buftype = CIFS_NO_BUFFER; + memset(&rsp_iov, 0, sizeof(rsp_iov)); flags = 0; server = cifs_pick_channel(ses); |
