[PATCH][next] cifs: fix double free error on share and prefix

[Steve French]

merged into cifs-2.6.git for-next

On Fri, Jul 31, 2020 at 12:15 PM Colin King <colin.king at canonical.com> wrote:
>
> From: Colin Ian King <colin.king at canonical.com>
>
> Currently if the call dfs_cache_get_tgt_share fails we cannot
> fully guarantee that share and prefix are set to NULL and the
> next iteration of the loop can end up potentially double freeing
> these pointers. Since the semantics of dfs_cache_get_tgt_share
> are ambiguous for failure cases with the setting of share and
> prefix (currently now and the possibly the future), it seems
> prudent to set the pointers to NULL when the objects are
> free'd to avoid any double frees.
>
> Addresses-Coverity: ("Double free")
> Fixes: 96296c946a2a ("cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect")
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
> ---
>  fs/cifs/connect.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 3c4dd4e1b9eb..4b2f5f5b3a8e 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -5574,6 +5574,8 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru
>
>                 kfree(share);
>                 kfree(prefix);
> +               share = NULL;
> +               prefix = NULL;
>
>                 rc = dfs_cache_get_tgt_share(tcon->dfs_path + 1, it, &share, &prefix);
>                 if (rc) {
> --
> 2.27.0
>


-- 
Thanks,

Steve