From: Vasily Averin Date: Fri, 16 Mar 2007 21:38:24 +0000 (-0800) Subject: [PATCH] smbfs: double free memory corruption X-Git-Tag: v2.6.21-rc5~90 X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1174cf730179d8f029b9e93cb9a4d5bfb08d1202;p=pandora-kernel.git [PATCH] smbfs: double free memory corruption smbfs allocates rq_trans2buffer to handle server's multi transaction2 response messages. As struct smb_request may be reused, rq_trans2buffer is freed before each new request. However if last servers's response is not multi but single trans2 message then new rq_trans2buffer is not allocated but last smb_rput still tries to free it again. To prevent this issue rq_trans2buffer pointer should be set to NULL after kfree. Signed-off-by: Vasily Averin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- Reading git-diff-tree failed