From 84c4e9cf7367ef5b5d059d35ae8f1c15b243abb0 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun, 28 Dec 2008 21:05:00 +0000
Subject: [PATCH] DEVEL15-rx-rdwr-writeproc-race-20081228

LICENSE MIT
FIXES 123799

prevent rx_WriteProc() from passing a packet to rxi_PrepareSendPacket()
that has been freed and possibly allocated to another call.


(cherry picked from commit d0cc6eb2f5f0aea0a6ad88de2d847f93d07cc8b9)
---
 src/rx/rx_rdwr.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/rx/rx_rdwr.c b/src/rx/rx_rdwr.c
index 9fe136d64..262b58694 100644
--- a/src/rx/rx_rdwr.c
+++ b/src/rx/rx_rdwr.c
@@ -698,6 +698,13 @@ rxi_WriteProc(register struct rx_call *call, register char *buf,
     do {
 	if (call->nFree == 0) {
 	    if (!call->error && cp) {
+                /* Clear the current packet now so that if
+                 * we are forced to wait and drop the lock 
+                 * the packet we are planning on using 
+                 * cannot be freed.
+                 */
+                cp->flags &= ~RX_PKTFLAG_CP;
+		call->currentPacket = (struct rx_packet *)0;
 #ifdef AFS_GLOBAL_RXLOCK_KERNEL
 		/* Wait until TQ_BUSY is reset before adding any
 		 * packets to the transmit queue
@@ -718,10 +725,9 @@ rxi_WriteProc(register struct rx_call *call, register char *buf,
 		 * conn->securityMaxTrailerSize */
 		hadd32(call->bytesSent, cp->length);
 		rxi_PrepareSendPacket(call, cp, 0);
-		cp->flags &= ~RX_PKTFLAG_CP;
 		cp->flags |= RX_PKTFLAG_TQ;
 		queue_Append(&call->tq, cp);
-		cp = call->currentPacket = (struct rx_packet *)0;
+		cp = (struct rx_packet *)0;
 		if (!
 		    (call->
 		     flags & (RX_CALL_FAST_RECOVER |
-- 
2.39.5