From 771e95d2e2ee1b60539f1273c62837b48249590a Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Wed, 26 May 2021 09:57:38 -0400 Subject: [PATCH] netsmb: Avoid a read-after-free in smb_t2_request_int() Defer freeing the request structure until we've decided whether the request should be retried. PR: 255881 MFC after: 1 week --- sys/netsmb/smb_rq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index 57bf053034ad..c5d5d0f85742 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -737,13 +737,13 @@ smb_t2_request_int(struct smb_t2rq *t2p) bad: smb_iod_removerq(rqp); freerq: - smb_rq_done(rqp); if (error) { if (rqp->sr_flags & SMBR_RESTART) t2p->t2_flags |= SMBT2_RESTART; md_done(&t2p->t2_rparam); md_done(&t2p->t2_rdata); } + smb_rq_done(rqp); return error; }