Hi folks,
I have been trawling through the code to get a better understanding of
various things and I came across this curious thing in the smb2dev
branch in git://git.altlinux.org/people/piastry/public/cifs-2.6.git
but it is also in the master branch, it seems.
In transport.c:SendReceive (and SendReceive2 where we do similar things) we see:
...
rc = cifs_sync_mid_result(midQ, ses->server);
if (rc != 0) {
add_credits(ses->server, 1, 0);
return rc;
}
if (!midQ->resp_buf || !out_buf ||
midQ->mid_state != MID_RESPONSE_RECEIVED) {
rc = -EIO;
cERROR(1, "Bad MID state?");
goto out;
}
*pbytes_returned = get_rfc1002_length(midQ->resp_buf);
memcpy(out_buf, midQ->resp_buf, *pbytes_returned + 4);
rc = cifs_check_receive(midQ, ses->server, 0);
...
However, at the end of cifs_sync_mid_result we see:
DeleteMidQEntry(mid);
return rc;
and there are no early returns from cifs_sync_mid_result, it seems.
The "mid" in the DeleteMidQEntry call is the same midQ passed to
cifs_sync_mid_result, I believe.
So, it looks like we have a use-after-free situation and thus a race
to get the data out before someone else pollutes it.
Is this correct or have I got the wrong end of the stick here?
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
