Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fe83bebc authored by David Disseldorp's avatar David Disseldorp Committed by Steve French
Browse files

SMB: fix leak of validate negotiate info response buffer



Fixes: ff1c038a ("Check SMB3 dialects against downgrade attacks")
Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent db3b5474
Loading
Loading
Loading
Loading
+5 −2
Original line number Diff line number Diff line
@@ -648,7 +648,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
{
	int rc = 0;
	struct validate_negotiate_info_req vneg_inbuf;
	struct validate_negotiate_info_rsp *pneg_rsp;
	struct validate_negotiate_info_rsp *pneg_rsp = NULL;
	u32 rsplen;
	u32 inbuflen; /* max of 4 dialects */

@@ -728,7 +728,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)

		/* relax check since Mac returns max bufsize allowed on ioctl */
		if (rsplen > CIFSMaxBufSize)
			return -EIO;
			goto err_rsp_free;
	}

	/* check validate negotiate info response matches what we got earlier */
@@ -747,10 +747,13 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)

	/* validate negotiate successful */
	cifs_dbg(FYI, "validate negotiate info successful\n");
	kfree(pneg_rsp);
	return 0;

vneg_out:
	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
err_rsp_free:
	kfree(pneg_rsp);
	return -EIO;
}