From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Namjae Jeon <linkinjeon@kernel.org>,
Steve French <smfrench@gmail.com>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Tom Talpey <tom@talpey.com>,
linux-cifs@vger.kernel.org, stable@kernel.org,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.18 141/198] ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
Date: Mon, 20 Apr 2026 17:42:00 +0200 [thread overview]
Message-ID: <20260420153940.683390850@linuxfoundation.org> (raw)
In-Reply-To: <20260420153935.605963767@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ad0057fb91218914d6c98268718ceb9d59b388e1 upstream.
The kernel ASN.1 BER decoder calls action callbacks incrementally as it
walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken
[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates
conn->mechToken immediately via kmemdup_nul(). If a later element in
the same blob is malformed, then the decoder will return nonzero after
the allocation is already live. This could happen if mechListMIC [3]
overrunse the enclosing SEQUENCE.
decode_negotiation_token() then sets conn->use_spnego = false because
both the negTokenInit and negTokenTarg grammars failed. The cleanup at
the bottom of smb2_sess_setup() is gated on use_spnego:
if (conn->use_spnego && conn->mechToken) {
kfree(conn->mechToken);
conn->mechToken = NULL;
}
so the kfree is skipped, causing the mechToken to never be freed.
This codepath is reachable pre-authentication, so untrusted clients can
cause slow memory leaks on a server without even being properly
authenticated.
Fix this up by not checking check for use_spnego, as it's not required,
so the memory will always be properly freed. At the same time, always
free the memory in ksmbd_conn_free() incase some other failure path
forgot to free it.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/connection.c | 1 +
fs/smb/server/smb2pdu.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -39,6 +39,7 @@ void ksmbd_conn_free(struct ksmbd_conn *
xa_destroy(&conn->sessions);
kvfree(conn->request_buf);
kfree(conn->preauth_info);
+ kfree(conn->mechToken);
if (atomic_dec_and_test(&conn->refcnt)) {
conn->transport->ops->free_transport(conn->transport);
kfree(conn);
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1924,7 +1924,7 @@ out_err:
else if (rc)
rsp->hdr.Status = STATUS_LOGON_FAILURE;
- if (conn->use_spnego && conn->mechToken) {
+ if (conn->mechToken) {
kfree(conn->mechToken);
conn->mechToken = NULL;
}
next prev parent reply other threads:[~2026-04-20 16:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260420153935.605963767@linuxfoundation.org>
2026-04-20 15:41 ` [PATCH 6.18 137/198] smb: client: fix off-by-8 bounds check in check_wsl_eas() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 6.18 138/198] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 6.18 139/198] ksmbd: validate EaNameLength in smb2_get_ea() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 6.18 140/198] ksmbd: require 3 sub-authorities before reading sub_auth[2] Greg Kroah-Hartman
2026-04-20 15:42 ` Greg Kroah-Hartman [this message]
2026-04-20 15:42 ` [PATCH 6.18 142/198] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 6.18 143/198] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420153940.683390850@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=senozhatsky@chromium.org \
--cc=smfrench@gmail.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox