Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fe83bebc authored by David Disseldorp's avatar David Disseldorp Committed by Steve French
Browse files

SMB: fix leak of validate negotiate info response buffer 



Fixes: ff1c038a ("Check SMB3 dialects against downgrade attacks")
Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent db3b5474

fs/cifs/smb2pdu.c

+5 −2
Original line number Diff line number Diff line
@@ -648,7 +648,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) 
{

	int rc = 0;

	struct validate_negotiate_info_req vneg_inbuf;

	struct validate_negotiate_info_rsp *pneg_rsp;

	struct validate_negotiate_info_rsp *pneg_rsp = NULL;

	u32 rsplen;

	u32 inbuflen; /* max of 4 dialects */
@@ -728,7 +728,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) 


		/* relax check since Mac returns max bufsize allowed on ioctl */

		if (rsplen > CIFSMaxBufSize)

			return -EIO;

			goto err_rsp_free;

	}



	/* check validate negotiate info response matches what we got earlier */
@@ -747,10 +747,13 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) 


	/* validate negotiate successful */

	cifs_dbg(FYI, "validate negotiate info successful\n");

	kfree(pneg_rsp);

	return 0;



vneg_out:

	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");

err_rsp_free:

	kfree(pneg_rsp);

	return -EIO;

}