Fix premature free() in sftp_readdir_async()

2026-04-21 00:25:50 +02:00 · 2026-04-21 00:25:50 +02:00 · 2c7c123fce
commit 2c7c123fce
2 changed files with 49 additions and 0 deletions
--- a/config.yaml
+++ b/config.yaml
@ -0,0 +1,15 @@
+actions:
+  - modify_release:
+    - suffix: ".alma.1"
+      enabled: true
+
+  - changelog_entry:
+    - name: "Andrew Lukoshko"
+      email: "alukoshko@almalinux.org"
+      line:
+        - "Fix premature free() in sftp_readdir_async()"
+
+  - add_files:
+    - type: "patch"
+      name: "1000-sshfs-fix-premature-free.patch"
+      number: 1000
--- a/files/1000-sshfs-fix-premature-free.patch
+++ b/files/1000-sshfs-fix-premature-free.patch
@ -0,0 +1,34 @@
+diff -ur sshfs-2.8.old/ChangeLog sshfs-2.8/ChangeLog
+--- sshfs-2.8.old/ChangeLog	2016-06-22 19:38:01.000000000 +0100
+++ sshfs-2.8/ChangeLog	2021-09-07 08:17:35.352080786 +0100
+@@ -1,3 +1,9 @@
+ Unreleased Changes
+ ------------------
+
++* Fixed a crash due to a race condition when listing
++  directory contents.
+
+ Release 2.7 (2016-06-22)
+ ------------------------
+ 
+diff -ur sshfs-2.8.old/sshfs.c sshfs-2.8/sshfs.c
+--- sshfs-2.8.old/sshfs.c	2016-06-08 16:42:12.000000000 +0100
+++ sshfs-2.8/sshfs.c	2021-09-07 08:17:06.339682726 +0100
+@@ -2173,11 +2173,16 @@
+ 			outstanding--;
+ 
+ 			if (done) {
+				/* We need to cache want_reply, since processing
+				   thread may free req right after unlock() if
+				   want_reply == 0 */
+				int want_reply;
+ 				pthread_mutex_lock(&sshfs.lock);
+ 				if (sshfs_req_pending(req))
+ 					req->want_reply = 0;
+				want_reply = req->want_reply;
+ 				pthread_mutex_unlock(&sshfs.lock);
+-				if (!req->want_reply)
+				if (!want_reply)
+ 					continue;
+ 			}
+