aboutsummaryrefslogtreecommitdiff
path: root/sshfs.c
diff options
context:
space:
mode:
authorMiklos Szeredi <mszeredi@suse.cz>2011-11-14 15:12:52 +0100
committerBenjamin Fleischer <fleiben@gmail.com>2012-01-22 10:45:16 +0100
commit04a610bad194a9d375c2b0324b1c8e119465fc57 (patch)
tree423c409196eedd4b354868a178cc401db8588e0f /sshfs.c
parentd8da0c4ed6fcb336c93503fd980b930de547470f (diff)
downloadsshfs-04a610bad194a9d375c2b0324b1c8e119465fc57.tar
sshfs-04a610bad194a9d375c2b0324b1c8e119465fc57.tar.gz
sshfs-04a610bad194a9d375c2b0324b1c8e119465fc57.tar.bz2
sshfs-04a610bad194a9d375c2b0324b1c8e119465fc57.zip
Fix double free if reconnection races with request sending
Patch by E. Kuemmerle
Diffstat (limited to 'sshfs.c')
-rw-r--r--sshfs.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/sshfs.c b/sshfs.c
index 74d0e71..5c2bd51 100644
--- a/sshfs.c
+++ b/sshfs.c
@@ -1828,9 +1828,16 @@ static int sftp_request_send(uint8_t type, struct iovec *iov, size_t count,
err = -EIO;
if (sftp_send_iov(type, id, iov, count) == -1) {
+ gboolean rmed;
+
pthread_mutex_lock(&sshfs.lock);
- g_hash_table_remove(sshfs.reqtab, GUINT_TO_POINTER(id));
+ rmed = g_hash_table_remove(sshfs.reqtab, GUINT_TO_POINTER(id));
pthread_mutex_unlock(&sshfs.lock);
+
+ if (!rmed && !want_reply) {
+ /* request already freed */
+ return err;
+ }
goto out;
}
if (want_reply)
@@ -1851,12 +1858,13 @@ out:
static int sftp_request_iov(uint8_t type, struct iovec *iov, size_t count,
uint8_t expect_type, struct buffer *outbuf)
{
+ int err;
struct request *req;
- sftp_request_send(type, iov, count, NULL, NULL, expect_type, NULL,
- &req);
+ err = sftp_request_send(type, iov, count, NULL, NULL, expect_type, NULL,
+ &req);
if (expect_type == 0)
- return 0;
+ return err;
return sftp_request_wait(req, type, expect_type, outbuf);
}