From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A8D2C77B7F for ; Mon, 8 May 2023 09:54:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233117AbjEHJyL (ORCPT ); Mon, 8 May 2023 05:54:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233825AbjEHJyG (ORCPT ); Mon, 8 May 2023 05:54:06 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D39D025718 for ; Mon, 8 May 2023 02:54:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 69E946220B for ; Mon, 8 May 2023 09:54:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 56355C433D2; Mon, 8 May 2023 09:54:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1683539640; bh=FP+6WMatnJ6yw/t+QN82S89te6ngdMsGhLt4tLlvr+g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F5cQ7gc+EGtVQMLkUgvCxQgduGHOhji2/NJDYqauOS8LDH0QA1fuvUz0VncBD3qfD VztzDdzq5jSkdfMM26BwZY3PWxcCoRKE0Zk+Q11Y9Gq7WwLv5JAdpRl/CuWEMEfXUG fAwmFBZtNriLu2e2irpDdH/8nVIsly3wICOyhFoI= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Namjae Jeon , Steve French , zdi-disclosures@trendmicro.com Subject: [PATCH 6.1 090/611] ksmbd: fix memleak in session setup Date: Mon, 8 May 2023 11:38:52 +0200 Message-Id: <20230508094425.093392375@linuxfoundation.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230508094421.513073170@linuxfoundation.org> References: <20230508094421.513073170@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Namjae Jeon commit 6d7cb549c2ca20e1f07593f15e936fd54b763028 upstream. If client send session setup request with unknown NTLMSSP message type, session that does not included channel can be created. It will cause session memleak. because ksmbd_sessions_deregister() does not destroy session if channel is not included. This patch return error response if client send the request unknown NTLMSSP message type. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20593 Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1799,6 +1799,10 @@ int smb2_sess_setup(struct ksmbd_work *w } kfree(sess->Preauth_HashValue); sess->Preauth_HashValue = NULL; + } else { + pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n", + le32_to_cpu(negblob->MessageType)); + rc = -EINVAL; } } else { /* TODO: need one more negotiation */