smb SMBDirect Double-Free

Vulnerability analysis

Root Cause: In the SMB client's SMB Direct implementation, the smbd_post_send_iter() function has a double-free vulnerability. When smbd_post_send() successfully moves a request to a batch list, the code path continues to call smbd_free_send_io() on error conditions, even though smbd_send_batch_flush() has already freed the same request structure. This occurs because the error handling logic doesn't account for the ownership transfer that happens when the request is moved to the batch.

Attack Surface: This vulnerability affects SMB client connections using SMB Direct (RDMA) transport. It requires an active SMB connection to a server and can be triggered during normal SMB operations when batch flushing fails. The attack surface is network-based but requires legitimate SMB client usage, making it exploitable by malicious SMB servers or through network manipulation during SMB Direct operations.

Fix Mechanism: The patch adds a new error label 'err_flush' and restructures the error handling flow. After smbd_post_send() succeeds (moving the request to batch), if smbd_send_batch_flush() fails, the code jumps to 'err_flush' which skips the smbd_free_send_io() call. A comment is added to clarify that once the request is moved to batch, it should not be freed explicitly. This prevents the double-free by ensuring the request is only freed once.