diff options
| author | Henrique Carvalho <henrique.carvalho@suse.com> | 2026-06-18 17:34:35 -0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-06-18 18:12:23 -0500 |
| commit | f96e1cdcb63ed3321142ff2fcdf784e32cda8fee (patch) | |
| tree | 21fdc7cf19a04ba8064396044907a1d5146a5a66 /fs | |
| parent | f9bbadb6c94583e3b4af1afc449bfceb1d1ddec9 (diff) | |
| download | ath-f96e1cdcb63ed3321142ff2fcdf784e32cda8fee.tar.gz | |
smb: client: fix double-free in SMB2_close() replay
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_close_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.
Reset response bookkeeping before each attempt to prevent the stale free.
Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/smb/client/smb2pdu.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 121ae914c3cf9..a7b1fbe28a2d0 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -3728,6 +3728,8 @@ __SMB2_close(const unsigned int xid, struct cifs_tcon *tcon, replay_again: /* reinitialize for possible replay */ + resp_buftype = CIFS_NO_BUFFER; + memset(&rsp_iov, 0, sizeof(rsp_iov)); flags = 0; query_attrs = false; server = cifs_pick_channel(ses); |
