Fix for memory overwrite-after-free bug in scst_local
authorvlnb <vlnb@d57e44dd-8a1f-0410-8b47-8ef2f437770f>
Wed, 19 Nov 2008 10:55:58 +0000 (10:55 +0000)
committervlnb <vlnb@d57e44dd-8a1f-0410-8b47-8ef2f437770f>
Wed, 19 Nov 2008 10:55:58 +0000 (10:55 +0000)
git-svn-id: https://scst.svn.sourceforge.net/svnroot/scst/trunk@575 d57e44dd-8a1f-0410-8b47-8ef2f437770f

scst/src/scst_lib.c

index 4b21bf5..8f8d8c1 100644 (file)
@@ -1436,7 +1436,12 @@ void scst_free_cmd(struct scst_cmd *cmd)
 #endif
 #endif
 
-       scst_check_restore_sg_buff(cmd);
+       /*
+        * Target driver can already free sg buffer before calling
+        * scst_tgt_cmd_done(). E.g., scst_local has to do that.
+        */
+       if (!cmd->tgt_data_buf_alloced)
+               scst_check_restore_sg_buff(cmd);
 
        if (unlikely(cmd->internal)) {
                if (cmd->bufflen > 0)