sftp_readdir_async(): don't access request when it may have been freed

Fixes: libfuse#7
joncv · Jul 12, 2017 · 82766d1 · 82766d1
1 parent 6f6491c
commit 82766d1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,3 +1,9 @@
+Unreleased Changes
+------------------
+
+* Fixed a crash due to a race condition when listing
+  directory contents.
+
 Release 3.0.0 (2017-07-08)
 --------------------------
 

diff --git a/sshfs.c b/sshfs.c
@@ -2073,11 +2073,16 @@ static int sftp_readdir_async(struct buffer *handle, void *buf, off_t offset,
 			outstanding--;
 
 			if (done) {
+				/* We need to cache want_reply, since processing
+				   thread may free req right after unlock() if
+				   want_reply == 0 */
+				int want_reply;
 				pthread_mutex_lock(&sshfs.lock);
 				if (sshfs_req_pending(req))
 					req->want_reply = 0;
+				want_reply = req->want_reply;
 				pthread_mutex_unlock(&sshfs.lock);
-				if (!req->want_reply)
+				if (!want_reply)
 					continue;
 			}