Fix double free if reconnection races with request sending

Patch by E. Kuemmerle

diff --git a/ChangeLog b/ChangeLog
index 5d25cbd..66ca1e2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-11-14  Miklos Szeredi <miklos@szeredi.hu>
+
+       * Fix double free if reconnection races with request sending.
+       Patch by E. Kuemmerle
+
 2011-10-21  Miklos Szeredi <miklos@szeredi.hu>
 
        * Remove "-oPreferredAuthentications" from ssh options if the

diff --git a/sshfs.c b/sshfs.c
index 6874e34..109d266 100644 (file)
--- a/sshfs.c
+++ b/sshfs.c
@@ -1752,9 +1752,16 @@ static int sftp_request_send(uint8_t type, struct iovec *iov, size_t count,
 
        err = -EIO;
        if (sftp_send_iov(type, id, iov, count) == -1) {
+               gboolean rmed;
+
                pthread_mutex_lock(&sshfs.lock);
-               g_hash_table_remove(sshfs.reqtab, GUINT_TO_POINTER(id));
+               rmed = g_hash_table_remove(sshfs.reqtab, GUINT_TO_POINTER(id));
                pthread_mutex_unlock(&sshfs.lock);
+
+               if (!rmed && !want_reply) {
+                       /* request already freed */
+                       return err;
+               }
                goto out;
        }
        if (want_reply)
@@ -1775,12 +1782,13 @@ out:
 static int sftp_request_iov(uint8_t type, struct iovec *iov, size_t count,
                             uint8_t expect_type, struct buffer *outbuf)
 {
+       int err;
        struct request *req;
 
-       sftp_request_send(type, iov, count, NULL, NULL, expect_type, NULL,
-                         &req);
+       err = sftp_request_send(type, iov, count, NULL, NULL, expect_type, NULL,
+                               &req);
        if (expect_type == 0)
-               return 0;
+               return err;
 
        return sftp_request_wait(req, type, expect_type, outbuf);
 }