Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
SMB: fix leak of validate negotiate info response buffer
Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Signed-off-by: Steve French <smfrench@gmail.com>
authored by David Disseldorp and committed by Steve French fe83bebc db3b5474
+5
-2
fs/cifs/smb2pdu.c
+5
-2
fs/cifs/smb2pdu.c
···
648
648
{
649
649
int rc = 0;
650
650
struct validate_negotiate_info_req vneg_inbuf;
651
-
struct validate_negotiate_info_rsp *pneg_rsp;
651
+
struct validate_negotiate_info_rsp *pneg_rsp = NULL;
652
652
u32 rsplen;
653
653
u32 inbuflen; /* max of 4 dialects */
654
654
···
728
728
729
729
/* relax check since Mac returns max bufsize allowed on ioctl */
730
730
if (rsplen > CIFSMaxBufSize)
731
-
return -EIO;
731
+
goto err_rsp_free;
732
732
}
733
733
734
734
/* check validate negotiate info response matches what we got earlier */
···
747
747
748
748
/* validate negotiate successful */
749
749
cifs_dbg(FYI, "validate negotiate info successful\n");
750
+
kfree(pneg_rsp);
750
751
return 0;
751
752
752
753
vneg_out:
753
754
cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
755
+
err_rsp_free:
756
+
kfree(pneg_rsp);
754
757
return -EIO;
755
758
}
756
759