From: Murphy Zhou <jencce.kernel@gmail.com>
To: linux-cifs@vger.kernel.org
Cc: sfrench@samba.org, longli@microsoft.com,
Murphy Zhou <jencce.kernel@gmail.com>
Subject: [PATCH] fs/cifs/smb2pdu.c: fix buffer free in SMB2_ioctl_free
Date: Thu, 23 May 2019 12:12:43 +0800 [thread overview]
Message-ID: <20190523041243.12340-1-jencce.kernel@gmail.com> (raw)
The 2nd buffer could be NULL even if iov_len is not zero. This can
trigger a panic when handling symlinks. It's easy to reproduce with
LTP fs_racer scripts[1] which are randomly craete/delete/link files
and dirs. Fix this panic by checking if the 2nd buffer is padding
before kfree, like what we do in SMB2_open_free.
[1] https://github.com/linux-test-project/ltp/tree/master/testcases/kernel/fs/racer
Fixes: 2c87d6a ("cifs: Allocate memory for all iovs in smb2_ioctl")
Signed-off-by: Murphy Zhou <jencce.kernel@gmail.com>
---
fs/cifs/smb2pdu.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 710ceb8..c36f940 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2619,10 +2619,12 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
void
SMB2_ioctl_free(struct smb_rqst *rqst)
{
+ int i;
if (rqst && rqst->rq_iov) {
cifs_small_buf_release(rqst->rq_iov[0].iov_base); /* request */
- if (rqst->rq_iov[1].iov_len)
- kfree(rqst->rq_iov[1].iov_base);
+ for (i = 1; i < rqst->rq_nvec; i++)
+ if (rqst->rq_iov[i].iov_base != smb2_padding)
+ kfree(rqst->rq_iov[i].iov_base);
}
}
--
1.8.3.1
next reply other threads:[~2019-05-23 4:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-23 4:12 Murphy Zhou [this message]
2019-05-24 0:44 ` [PATCH] fs/cifs/smb2pdu.c: fix buffer free in SMB2_ioctl_free ronnie sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190523041243.12340-1-jencce.kernel@gmail.com \
--to=jencce.kernel@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=sfrench@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.