summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoshua Rogers <linux@joshua.hu>2025-11-08 17:59:23 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2025-11-24 12:30:06 +0300
commit5746b2a0f5eb3d79667b3c51fe849bd62464220e (patch)
treee198e655a06b2e4a600d92457626da03458c4cc3
parent142b2990e64fd1deb0577f3dbcec5a4f21df3b78 (diff)
downloadlinux-5746b2a0f5eb3d79667b3c51fe849bd62464220e.tar.xz
ksmbd: close accepted socket when per-IP limit rejects connection
commit 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 upstream. When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath. Cc: stable@vger.kernel.org Signed-off-by: Joshua Rogers <linux@joshua.hu> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--fs/smb/server/transport_tcp.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c
index 279a61d0dcc6..08275db6446c 100644
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -286,8 +286,11 @@ static int ksmbd_kthread_fn(void *p)
}
}
up_read(&conn_list_lock);
- if (ret == -EAGAIN)
+ if (ret == -EAGAIN) {
+ /* Per-IP limit hit: release the just-accepted socket. */
+ sock_release(client_sk);
continue;
+ }
skip_max_ip_conns_limit:
generated by cgit v1.2.3 (git 2.39.0) at 2026-05-06 05:58:54 +0300