Commit 27893dfc authored by Enzo Matsumiya's avatar Enzo Matsumiya Committed by Steve French
Browse files

cifs: fix small mempool leak in SMB2_negotiate() 



In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
the request is sent, the checks would return -EIO when they should be
rather setting rc = -EIO and jumping to neg_exit to free the response
buffer from mempool.

Signed-off-by: default avatarEnzo Matsumiya <ematsumiya@suse.de>
Cc: stable@vger.kernel.org
Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 3e3761f1

fs/cifs/smb2pdu.c

+7 −5
Original line number Diff line number Diff line
@@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid, 
	} else if (rc != 0)

		goto neg_exit;



	rc = -EIO;

	if (strcmp(server->vals->version_string,

		   SMB3ANY_VERSION_STRING) == 0) {

		if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {

			cifs_server_dbg(VFS,

				"SMB2 dialect returned but not requested\n");

			return -EIO;

			goto neg_exit;

		} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {

			cifs_server_dbg(VFS,

				"SMB2.1 dialect returned but not requested\n");

			return -EIO;

			goto neg_exit;

		} else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {

			/* ops set to 3.0 by default for default so update */

			server->ops = &smb311_operations;
@@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid, 
		if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {

			cifs_server_dbg(VFS,

				"SMB2 dialect returned but not requested\n");

			return -EIO;

			goto neg_exit;

		} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {

			/* ops set to 3.0 by default for default so update */

			server->ops = &smb21_operations;
@@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid, 
		/* if requested single dialect ensure returned dialect matched */

		cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",

				le16_to_cpu(rsp->DialectRevision));

		return -EIO;

		goto neg_exit;

	}



	cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
@@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid, 
	else {

		cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",

				le16_to_cpu(rsp->DialectRevision));

		rc = -EIO;

		goto neg_exit;

	}



	rc = 0;

	server->dialect = le16_to_cpu(rsp->DialectRevision);



	/*