netsmb: Avoid a read-after-free in smb_t2_request_int()

Defer freeing the request structure until we've decided whether the request should be retried. PR: 255881 MFC after: 1 week
2021-05-26 09:57:38 -04:00 · 2021-05-26 09:57:38 -04:00 · 771e95d2e2
commit 771e95d2e2
parent 71776d6719
1 changed files with 1 additions and 1 deletions
--- a/sys/netsmb/smb_rq.c
+++ b/sys/netsmb/smb_rq.c
@ -737,13 +737,13 @@ smb_t2_request_int(struct smb_t2rq *t2p)
 bad:
 	smb_iod_removerq(rqp);
 freerq:
-	smb_rq_done(rqp);
 	if (error) {
 		if (rqp->sr_flags & SMBR_RESTART)
 			t2p->t2_flags |= SMBT2_RESTART;
 		md_done(&t2p->t2_rparam);
 		md_done(&t2p->t2_rdata);
 	}
+	smb_rq_done(rqp);
 	return error;
 }