Commit 4ca3a99c authored by Pavel Shilovsky's avatar Pavel Shilovsky Committed by Steve French
Browse files

CIFS: Fix possible freed pointer dereference in SMB2_sess_setup 



and remove redundant (rsp == NULL) checks after SendReceive2.

Signed-off-by: default avatarPavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 760ad0ca

fs/cifs/smb2pdu.c

+3 −32
Original line number Original line Diff line number Diff line
@@ -409,11 +409,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) 
	if (rc != 0)

	if (rc != 0)

		goto neg_exit;

		goto neg_exit;





	if (rsp == NULL) {

		rc = -EIO;

		goto neg_exit;

	}



	cFYI(1, "mode 0x%x", rsp->SecurityMode);

	cFYI(1, "mode 0x%x", rsp->SecurityMode);





	if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)

	if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)
@@ -637,7 +632,8 @@ ssetup_ntlmssp_authenticate: 




	kfree(security_blob);

	kfree(security_blob);

	rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;

	rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;

	if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {

	if (resp_buftype != CIFS_NO_BUFFER &&

	    rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {

		if (phase != NtLmNegotiate) {

		if (phase != NtLmNegotiate) {

			cERROR(1, "Unexpected more processing error");

			cERROR(1, "Unexpected more processing error");

			goto ssetup_exit;

			goto ssetup_exit;
@@ -669,11 +665,6 @@ ssetup_ntlmssp_authenticate: 
	if (rc != 0)

	if (rc != 0)

		goto ssetup_exit;

		goto ssetup_exit;





	if (rsp == NULL) {

		rc = -EIO;

		goto ssetup_exit;

	}



	ses->session_flags = le16_to_cpu(rsp->SessionFlags);

	ses->session_flags = le16_to_cpu(rsp->SessionFlags);

ssetup_exit:

ssetup_exit:

	free_rsp_buf(resp_buftype, rsp);

	free_rsp_buf(resp_buftype, rsp);
@@ -793,11 +784,6 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, 
		goto tcon_error_exit;

		goto tcon_error_exit;

	}

	}





	if (rsp == NULL) {

		rc = -EIO;

		goto tcon_exit;

	}



	if (tcon == NULL) {

	if (tcon == NULL) {

		ses->ipc_tid = rsp->hdr.TreeId;

		ses->ipc_tid = rsp->hdr.TreeId;

		goto tcon_exit;

		goto tcon_exit;
@@ -1046,10 +1032,6 @@ SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path, 
		goto creat_exit;

		goto creat_exit;

	}

	}





	if (rsp == NULL) {

		rc = -EIO;

		goto creat_exit;

	}

	*persistent_fid = rsp->PersistentFileId;

	*persistent_fid = rsp->PersistentFileId;

	*volatile_fid = rsp->VolatileFileId;

	*volatile_fid = rsp->VolatileFileId;
@@ -1111,11 +1093,6 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon, 
		goto close_exit;

		goto close_exit;

	}

	}





	if (rsp == NULL) {

		rc = -EIO;

		goto close_exit;

	}



	/* BB FIXME - decode close response, update inode for caching */

	/* BB FIXME - decode close response, update inode for caching */





close_exit:

close_exit:
@@ -1950,12 +1927,6 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, 
		cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);

		cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);

		goto out;

		goto out;

	}

	}



	if (rsp == NULL) {

		rc = -EIO;

		goto out;

	}



out:

out:

	free_rsp_buf(resp_buftype, rsp);

	free_rsp_buf(resp_buftype, rsp);

	kfree(iov);

	kfree(iov);

CRA Git | Maintained and supported by SUSTech CRA and CCSE