Commit 73aaf920 authored Jan 16, 2019 by Colin Ian King Committed by Steve French Jan 24, 2019

cifs: fix memory leak of an allocated cifs_ntsd structure



The call to SMB2_queary_acl can allocate memory to pntsd and also
return a failure via a call to SMB2_query_acl (and then query_info).
This occurs when query_info allocates the structure and then in
query_info the call to smb2_validate_and_copy_iov fails. Currently the
failure just returns without kfree'ing pntsd hence causing a memory
leak.

Currently, *data is allocated if it's not already pointing to a buffer,
so it needs to be kfree'd only if was allocated in query_info, so the
fix adds an allocated flag to track this.  Also set *dlen to zero on
an error just to be safe since *data is kfree'd.

Also set errno to -ENOMEM if the allocation of *data fails.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Dan Carpener <dan.carpenter@oracle.com>

parent 30bac164

fs/cifs/smb2pdu.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -2816,6 +2816,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
		int resp_buftype = CIFS_NO_BUFFER;
		struct cifs_ses *ses = tcon->ses;
		int flags = 0;
		bool allocated = false;

		cifs_dbg(FYI, "Query Info\n");

		@@ -2855,14 +2856,21 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
		"Error %d allocating memory for acl\n",
		rc);
		*dlen = 0;
		rc = -ENOMEM;
		goto qinf_exit;
		}
		allocated = true;
		}
		}

		rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
		le32_to_cpu(rsp->OutputBufferLength),
		&rsp_iov, min_len, *data);
		if (rc && allocated) {
		kfree(*data);
		*data = NULL;
		*dlen = 0;
		}

		qinf_exit:
		SMB2_query_info_free(&rqst);

Admin message