SMB: fix memory leak in smb3_validate_negotiate

Message ID 20171020102033.22936-1-shuwang@redhat.com
State New
Headers show
Series
  • SMB: fix memory leak in smb3_validate_negotiate
Related show

Commit Message

Shu Wang Oct. 20, 2017, 10:20 a.m.
From: Shu Wang <shuwang@redhat.com>

Found the issue by kmemleak. The pointer pneg_rsp stores the
pointer kmalloced from SMB2_ioctl, and should be release
before function return.

unreferenced object 0xffff88018c2b1900 (size 32):
  backtrace:
    kmemleak_alloc+0x4a/0xa0
    __kmalloc+0xec/0x220
    SMB2_ioctl+0x27a/0x3c0 [cifs]
    smb3_validate_negotiate+0x135/0x370 [cifs]
    SMB2_tcon+0x308/0xae0 [cifs]
    cifs_put_tcp_session+0x4a5/0x900 [cifs]
    cifs_mount+0x6f4/0x15f0 [cifs]

Signed-off-by: Shu Wang <shuwang@redhat.com>
---
 fs/cifs/smb2pdu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

David Disseldorp Oct. 20, 2017, 12:49 p.m. | #1
> From: Shu Wang <shuwang@redhat.com>
> 
> Found the issue by kmemleak. The pointer pneg_rsp stores the
> pointer kmalloced from SMB2_ioctl, and should be release
> before function return.

Thanks for the patch, Shu Wang. A fix for this memory leak is already
queued at https://bugzilla.samba.org/show_bug.cgi?id=13092 , alongside
an extra fix for potential use of uninitialised memory. Patches to
follow...

Cheers, David
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6f0e6343c15e..4785ed8e1589 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -727,8 +727,10 @@  int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 			 rsplen);
 
 		/* relax check since Mac returns max bufsize allowed on ioctl */
-		if (rsplen > CIFSMaxBufSize)
+		if (rsplen > CIFSMaxBufSize) {
+			kfree(pneg_rsp);
 			return -EIO;
+		}
 	}
 
 	/* check validate negotiate info response matches what we got earlier */
@@ -747,10 +749,12 @@  int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 
 	/* validate negotiate successful */
 	cifs_dbg(FYI, "validate negotiate info successful\n");
+	kfree(pneg_rsp);
 	return 0;
 
 vneg_out:
 	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+	kfree(pneg_rsp);
 	return -EIO;
 }