SMB: fix leak of validate negotiate info response buffer (fe83bebc) · Commits · e / devices / android_kernel_fairphone_FP4

fs/cifs/smb2pdu.c

+5 −2

Original line number	Original line	Diff line number	Diff line
	@@ -648,7 +648,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
	{		{
	int rc = 0;		int rc = 0;
	struct validate_negotiate_info_req vneg_inbuf;		struct validate_negotiate_info_req vneg_inbuf;
	struct validate_negotiate_info_rsp *pneg_rsp;		struct validate_negotiate_info_rsp *pneg_rsp = NULL;
	u32 rsplen;		u32 rsplen;
	u32 inbuflen; /* max of 4 dialects */		u32 inbuflen; /* max of 4 dialects */

	@@ -728,7 +728,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)

	/* relax check since Mac returns max bufsize allowed on ioctl */		/* relax check since Mac returns max bufsize allowed on ioctl */
	if (rsplen > CIFSMaxBufSize)		if (rsplen > CIFSMaxBufSize)
	return -EIO;		goto err_rsp_free;
	}		}

	/* check validate negotiate info response matches what we got earlier */		/* check validate negotiate info response matches what we got earlier */
	@@ -747,10 +747,13 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)

	/* validate negotiate successful */		/* validate negotiate successful */
	cifs_dbg(FYI, "validate negotiate info successful\n");		cifs_dbg(FYI, "validate negotiate info successful\n");
			kfree(pneg_rsp);
	return 0;		return 0;

	vneg_out:		vneg_out:
	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");		cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
			err_rsp_free:
			kfree(pneg_rsp);
	return -EIO;		return -EIO;
	}		}