From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Thu, 2 Oct 2008 12:51:48 +0000 (+0000)
Subject: rx-current-packet-double-free-20081003
X-Git-Tag: openafs-devel-1_5_61~788
X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=1e7203940456e783aad215e939c04ed01dd45599

rx-current-packet-double-free-20081003

LICENSE MIT

in rxi_WriteProc() make sure that rx_call currentPacket is
set to NULL after the rx_packet is added to a queue or
passed to rx_freePacket().  Otherwise we will panic when
we attempt to call rx_freePacket twice on the same packet.
---

diff --git a/src/rx/rx_rdwr.c b/src/rx/rx_rdwr.c
index 22149af..e3aac08 100644
--- a/src/rx/rx_rdwr.c
+++ b/src/rx/rx_rdwr.c
@@ -1121,6 +1121,7 @@ rxi_WritevProc(struct rx_call *call, struct iovec *iov, int nio, int nbytes)
 	    rxi_PrepareSendPacket(call, cp, 0);
 	    cp->flags |= RX_PKTFLAG_TQ;
 	    queue_Append(&tmpq, cp);
+            cp = call->currentPacket = (struct rx_packet *)0;
 
 	    /* The head of the iovq is now the current packet */
 	    if (nbytes) {
@@ -1152,6 +1153,7 @@ rxi_WritevProc(struct rx_call *call, struct iovec *iov, int nio, int nbytes)
 		if (cp) {
 		    cp->flags &= ~RX_PKTFLAG_CP;
 		    queue_Prepend(&tmpq, cp);
+                    cp = call->currentPacket = (struct rx_packet *)0;
 		}
 		rxi_FreePackets(0, &tmpq);
 		return 0;
@@ -1197,6 +1199,7 @@ rxi_WritevProc(struct rx_call *call, struct iovec *iov, int nio, int nbytes)
 	if (cp) {
 	    cp->flags &= ~RX_PKTFLAG_CP;
 	    rxi_FreePacket(cp);
+            cp = call->currentPacket = (struct rx_packet *)0;
 	}
 	return 0;
     }