ksmbd: fix use-after-free in smb2_lock · tjh.dev/kernel@84d2d16

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

ksmbd: fix use-after-free in smb2_lock

If smb_lock->zero_len has value, ->llist of smb_lock is not delete and
flock is old one. It will cause use-after-free on error handling
routine.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Namjae Jeon and committed by

Steve French 1 year ago 84d2d164 e2ff19f0

+3 -3

1 changed file

expand all

smb

server

smb2pdu.c

+3 -3

fs/smb/server/smb2pdu.c

··· 7458 7458 } 7459 7459 7460 7460 no_check_cl: 7461 + flock = smb_lock->fl; 7462 + list_del(&smb_lock->llist); 7463 + 7461 7464 if (smb_lock->zero_len) { 7462 7465 err = 0; 7463 7466 goto skip; 7464 7467 } 7465 - 7466 - flock = smb_lock->fl; 7467 - list_del(&smb_lock->llist); 7468 7468 retry: 7469 7469 rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); 7470 7470 skip: