Commit 0e5c7955 authored May 03, 2017 by David Disseldorp Committed by Steve French May 03, 2017

cifs: fix leak in FSCTL_ENUM_SNAPS response handling



The server may respond with success, and an output buffer less than
sizeof(struct smb_snapshot_array) in length. Do not leak the output
buffer in this case.

Fixes: 834170c8 ("Enable previous version support")
Signed-off-by: David Disseldorp <ddiss@suse.de>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <smfrench@gmail.com>

parent 26c9cb66

fs/cifs/smb2ops.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -942,6 +942,7 @@ smb3_enum_snapshots(const unsigned int xid, struct cifs_tcon *tcon,
	}		}
	if (snapshot_in.snapshot_array_size < sizeof(struct smb_snapshot_array)) {		if (snapshot_in.snapshot_array_size < sizeof(struct smb_snapshot_array)) {
	rc = -ERANGE;		rc = -ERANGE;
			kfree(retbuf);
	return rc;		return rc;
	}		}