Possible use-after-free in transport.c:SendReceive and SendReceive2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks,

I have been trawling through the code to get a better understanding of
various things and I came across this curious thing in the smb2dev
branch in git://git.altlinux.org/people/piastry/public/cifs-2.6.git
but it is also in the master branch, it seems.

In transport.c:SendReceive (and SendReceive2 where we do similar things) we see:

...
        rc = cifs_sync_mid_result(midQ, ses->server);
        if (rc != 0) {
                add_credits(ses->server, 1, 0);
                return rc;
        }

        if (!midQ->resp_buf || !out_buf ||
            midQ->mid_state != MID_RESPONSE_RECEIVED) {
                rc = -EIO;
                cERROR(1, "Bad MID state?");
                goto out;
        }

        *pbytes_returned = get_rfc1002_length(midQ->resp_buf);
        memcpy(out_buf, midQ->resp_buf, *pbytes_returned + 4);
        rc = cifs_check_receive(midQ, ses->server, 0);
...

However, at the end of cifs_sync_mid_result we see:


        DeleteMidQEntry(mid);
        return rc;

and there are no early returns from cifs_sync_mid_result, it seems.
The "mid" in the DeleteMidQEntry call is the same midQ passed to
cifs_sync_mid_result, I believe.

So, it looks like we have a use-after-free situation and thus a race
to get the data out before someone else pollutes it.

Is this correct or have I got the wrong end of the stick here?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux