Commit 83e8a613 authored Jun 28, 2023 by Namjae Jeon Committed by openeuler-sync-bot Jul 11, 2023

ksmbd: fix memleak in session setup

mainline inclusion
from mainline-v6.4-rc1
commit 6d7cb549
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FG3
CVE: CVE-2023-32255

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d7cb549c2ca20e1f07593f15e936fd54b763028



--------------------------------

If client send session setup request with unknown NTLMSSP message type,
session that does not included channel can be created. It will cause
session memleak. because ksmbd_sessions_deregister() does not destroy
session if channel is not included. This patch return error response if
client send the request unknown NTLMSSP message type.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20593
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
(cherry picked from commit 140fce8f)

parent d4a7a821

fs/ksmbd/smb2pdu.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1801,6 +1801,10 @@ int smb2_sess_setup(struct ksmbd_work *work)
		}
		kfree(sess->Preauth_HashValue);
		sess->Preauth_HashValue = NULL;
		} else {
		pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n",
		le32_to_cpu(negblob->MessageType));
		rc = -EINVAL;
		}
		} else {
		/* TODO: need one more negotiation */