Fix double free if reconnection races with request sending

Patch by E. Kuemmerle

2 files changed, 17 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 5d25cbd..66ca1e2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-11-14  Miklos Szeredi <miklos@szeredi.hu>
+
+	* Fix double free if reconnection races with request sending.
+	Patch by E. Kuemmerle
+
 2011-10-21  Miklos Szeredi <miklos@szeredi.hu>
 
 	* Remove "-oPreferredAuthentications" from ssh options if the
diff --git a/sshfs.c b/sshfs.c
index 6874e34..109d266 100644
--- a/sshfs.c
+++ b/sshfs.c
@@ -1752,9 +1752,16 @@ static int sftp_request_send(uint8_t type, struct iovec *iov, size_t count,
 
 	err = -EIO;
 	if (sftp_send_iov(type, id, iov, count) == -1) {
+		gboolean rmed;
+
 		pthread_mutex_lock(&sshfs.lock);
-		g_hash_table_remove(sshfs.reqtab, GUINT_TO_POINTER(id));
+		rmed = g_hash_table_remove(sshfs.reqtab, GUINT_TO_POINTER(id));
 		pthread_mutex_unlock(&sshfs.lock);
+
+		if (!rmed && !want_reply) {
+			/* request already freed */
+			return err;
+		}
 		goto out;
 	}
 	if (want_reply)
@@ -1775,12 +1782,13 @@ out:
 static int sftp_request_iov(uint8_t type, struct iovec *iov, size_t count,
                             uint8_t expect_type, struct buffer *outbuf)
 {
+	int err;
 	struct request *req;
 
-	sftp_request_send(type, iov, count, NULL, NULL, expect_type, NULL,
-			  &req);
+	err = sftp_request_send(type, iov, count, NULL, NULL, expect_type, NULL,
+				&req);
 	if (expect_type == 0)
-		return 0;
+		return err;
 
 	return sftp_request_wait(req, type, expect_type, outbuf);
 }