diff options
author | David Disseldorp <ddiss@suse.de> | 2017-10-20 15:49:37 +0300 |
---|---|---|
committer | Steve French <smfrench@gmail.com> | 2017-10-25 21:02:59 +0300 |
commit | fe83bebc05228e838ed5cbbc62712ab50dd40e18 (patch) | |
tree | 692d2e3bfdc526c029c0e2f1c81240e52ee4abb4 /fs | |
parent | db3b5474f462e77b82ca1e27627f03c47b622c99 (diff) | |
download | linux-fe83bebc05228e838ed5cbbc62712ab50dd40e18.tar.xz |
SMB: fix leak of validate negotiate info response buffer
Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/smb2pdu.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 3efcd96b52c5..6b03e2d45d8e 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -648,7 +648,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) { int rc = 0; struct validate_negotiate_info_req vneg_inbuf; - struct validate_negotiate_info_rsp *pneg_rsp; + struct validate_negotiate_info_rsp *pneg_rsp = NULL; u32 rsplen; u32 inbuflen; /* max of 4 dialects */ @@ -728,7 +728,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) /* relax check since Mac returns max bufsize allowed on ioctl */ if (rsplen > CIFSMaxBufSize) - return -EIO; + goto err_rsp_free; } /* check validate negotiate info response matches what we got earlier */ @@ -747,10 +747,13 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) /* validate negotiate successful */ cifs_dbg(FYI, "validate negotiate info successful\n"); + kfree(pneg_rsp); return 0; vneg_out: cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); +err_rsp_free: + kfree(pneg_rsp); return -EIO; } |