[patch] target: use after free in error handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

iscsit_release_cmd() frees the memory that "se_cmd" was pointing to
so this is a use after free bug.  Also "se_cmd" is non-null here so I
removed the unneeded null check.

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>

diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
index a1acb01..bea5c29 100644
--- a/drivers/target/iscsi/iscsi_target_util.c
+++ b/drivers/target/iscsi/iscsi_target_util.c
@@ -297,9 +297,8 @@ struct iscsi_cmd *iscsit_allocate_se_cmd_for_tmr(
 
 	return cmd;
 out:
+	transport_free_se_cmd(se_cmd);
 	iscsit_release_cmd(cmd);
-	if (se_cmd)
-		transport_free_se_cmd(se_cmd);
 	return NULL;
 }
 
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux