summaryrefslogtreecommitdiffstats
path: root/fs/smb
diff options
context:
space:
mode:
authorSu Hui <suhui@nfschina.com>2024-10-15 18:20:37 +0800
committerSteve French <stfrench@microsoft.com>2024-10-16 00:25:54 -0500
commit19ebc1e6cab334a8193398d4152deb76019b5d34 (patch)
tree9efaef72f042365777b2976ff67977cf67c2a20d /fs/smb
parent8e929cb546ee42c9a61d24fae60605e9e3192354 (diff)
downloadlinux-stable-19ebc1e6cab334a8193398d4152deb76019b5d34.tar.gz
linux-stable-19ebc1e6cab334a8193398d4152deb76019b5d34.tar.bz2
linux-stable-19ebc1e6cab334a8193398d4152deb76019b5d34.zip
smb: client: fix possible double free in smb2_set_ea()
Clang static checker(scan-build) warning: fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. 1304 | kfree(ea); | ^~~~~~~~~ There is a double free in such case: 'ea is initialized to NULL' -> 'first successful memory allocation for ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' -> 'goto replay_again' -> 'second goto sea_exit before allocate memory for ea' -> 'second memory release for ea resulted in double free'. Re-initialie 'ea' to NULL near to the replay_again label, it can fix this double free problem. Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Su Hui <suhui@nfschina.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs/smb')
-rw-r--r--fs/smb/client/smb2ops.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 6b385fce3f2a..24a2aa04a108 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -1158,7 +1158,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
struct cifs_fid fid;
unsigned int size[1];
void *data[1];
- struct smb2_file_full_ea_info *ea = NULL;
+ struct smb2_file_full_ea_info *ea;
struct smb2_query_info_rsp *rsp;
int rc, used_len = 0;
int retries = 0, cur_sleep = 1;
@@ -1179,6 +1179,7 @@ replay_again:
if (!utf16_path)
return -ENOMEM;
+ ea = NULL;
resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
vars = kzalloc(sizeof(*vars), GFP_KERNEL);
if (!vars) {