From: Simon Wilkinson <sxw@inf.ed.ac.uk>
Date: Sat, 16 Jan 2010 15:52:58 +0000 (+0000)
Subject: Don't double free call structure
X-Git-Tag: openafs-stable-1_4_12pre2~5
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=26ffbd3f1c07420796c772e821786cfa4bcc0bc5;p=packages%2Fo%2Fopenafs.git

Don't double free call structure

If the rx_Read() of the number of bytes in the FetchData64 response
fails, then it sets code, and disposes of the call structure. However,
the length safety check that was added in
c7b92a3018044f7aca4d9a77644e5c06ef64d1e9 executes regardless of whether
code is set, and the call has already been freed. So we end up calling
rx_Error with a NULL call structure, and panic.

(pulled up from 806423be3c55f3de91c2b836d2088eeb0f4e4665)

Change-Id: Ia1ee4ab9c794db9337e4eb7b5b5980c8a57cef0b
Reviewed-on: http://gerrit.openafs.org/1113
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
---

diff --git a/src/afs/afs_dcache.c b/src/afs/afs_dcache.c
index f99191073..c61211352 100644
--- a/src/afs/afs_dcache.c
+++ b/src/afs/afs_dcache.c
@@ -2209,7 +2209,7 @@ afs_GetDCache(register struct vcache *avc, afs_size_t abyte,
 		    }
 #endif /* AFS_64BIT_CLIENT */
 
-		    if (length > size) {
+		    if (code == 0 && length > size) {
 			/* The fileserver told us it is going to send more data
 			 * than we requested. It shouldn't do that, and
 			 * accepting that much data can make us take up more