From 806423be3c55f3de91c2b836d2088eeb0f4e4665 Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Sat, 16 Jan 2010 15:35:34 +0000 Subject: [PATCH] Don't double free call structure If the rx_Read() of the number of bytes in the FetchData64 response fails, then it sets code, and disposes of the call structure. However, the length safety check that was added in c7b92a3018044f7aca4d9a77644e5c06ef64d1e9 executes regardless of whether code is set, and the call has already been freed. So we end up calling rx_Error with a NULL call structure, and panic. Change-Id: Ia2e341b7a9a2ddc1d656e8b8a31698c0d1771d5e Reviewed-on: http://gerrit.openafs.org/1112 Reviewed-by: Jeffrey Altman Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- src/afs/afs_fetchstore.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afs/afs_fetchstore.c b/src/afs/afs_fetchstore.c index 771ce0b6a..c17a43484 100644 --- a/src/afs/afs_fetchstore.c +++ b/src/afs/afs_fetchstore.c @@ -992,7 +992,7 @@ rxfs_fetchInit(struct afs_conn *tc, struct vcache *avc, afs_offs_t base, /* We need to cast here, in order to avoid issues if *alength is * negative. Some, older, fileservers can return a negative length, * which the rest of the code deals correctly with. */ - if (*alength > (afs_int32) size) { + if (code == 0 && *alength > (afs_int32) size) { /* The fileserver told us it is going to send more data than we * requested. It shouldn't do that, and accepting that much data * can make us take up more cache space than we're supposed to, -- 2.39.5