From: shuwang@redhat.com
To: sfrench@samba.org
Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
linux-kernel@vger.kernel.org, chuhu@redhat.com,
yizhan@redhat.com, Shu Wang <shuwang@redhat.com>
Subject: [PATCH] SMB: fix memory leak in smb3_validate_negotiate
Date: Fri, 20 Oct 2017 18:20:33 +0800 [thread overview]
Message-ID: <20171020102033.22936-1-shuwang@redhat.com> (raw)
From: Shu Wang <shuwang@redhat.com>
Found the issue by kmemleak. The pointer pneg_rsp stores the
pointer kmalloced from SMB2_ioctl, and should be release
before function return.
unreferenced object 0xffff88018c2b1900 (size 32):
backtrace:
kmemleak_alloc+0x4a/0xa0
__kmalloc+0xec/0x220
SMB2_ioctl+0x27a/0x3c0 [cifs]
smb3_validate_negotiate+0x135/0x370 [cifs]
SMB2_tcon+0x308/0xae0 [cifs]
cifs_put_tcp_session+0x4a5/0x900 [cifs]
cifs_mount+0x6f4/0x15f0 [cifs]
Signed-off-by: Shu Wang <shuwang@redhat.com>
---
fs/cifs/smb2pdu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6f0e6343c15e..4785ed8e1589 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -727,8 +727,10 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
rsplen);
/* relax check since Mac returns max bufsize allowed on ioctl */
- if (rsplen > CIFSMaxBufSize)
+ if (rsplen > CIFSMaxBufSize) {
+ kfree(pneg_rsp);
return -EIO;
+ }
}
/* check validate negotiate info response matches what we got earlier */
@@ -747,10 +749,12 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
/* validate negotiate successful */
cifs_dbg(FYI, "validate negotiate info successful\n");
+ kfree(pneg_rsp);
return 0;
vneg_out:
cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+ kfree(pneg_rsp);
return -EIO;
}
--
2.13.5
next reply other threads:[~2017-10-20 10:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-20 10:20 shuwang [this message]
[not found] ` <20171020102033.22936-1-shuwang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-20 12:49 ` [PATCH] SMB: fix memory leak in smb3_validate_negotiate David Disseldorp
[not found] ` <20171020124938.9913-1-ddiss-l3A5Bk7waGM@public.gmane.org>
2017-10-20 12:49 ` [PATCH 1/2] SMB: fix leak of validate negotiate info response buffer David Disseldorp
[not found] ` <20171020124938.9913-2-ddiss-l3A5Bk7waGM@public.gmane.org>
2017-10-21 2:49 ` Shu Wang
[not found] ` <61197467.18033621.1508554198404.JavaMail.zimbra-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-22 14:16 ` David Disseldorp
2017-10-20 12:49 ` [PATCH 2/2] SMB: fix validate negotiate info uninitialised memory use David Disseldorp
[not found] ` <20171020124938.9913-3-ddiss-l3A5Bk7waGM@public.gmane.org>
2017-10-25 18:04 ` Pavel Shilovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171020102033.22936-1-shuwang@redhat.com \
--to=shuwang@redhat.com \
--cc=chuhu@redhat.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
--cc=yizhan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox