diff mbox series

cifs: fix small mempool leak in SMB2_negotiate()

Message ID 20220830225151.26201-1-ematsumiya@suse.de
State New
Headers show
Series cifs: fix small mempool leak in SMB2_negotiate() | expand

Commit Message

Enzo Matsumiya Aug. 30, 2022, 10:51 p.m. UTC
In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
the request is sent, the checks would return -EIO when they should be
rather setting rc = -EIO and jumping to neg_exit to free the response
buffer from mempool.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 fs/cifs/smb2pdu.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

Comments

ronnie sahlberg Aug. 31, 2022, 1:04 a.m. UTC | #1
LGTM
reviewed-by me

On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@suse.de> wrote:
>
> In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
> the request is sent, the checks would return -EIO when they should be
> rather setting rc = -EIO and jumping to neg_exit to free the response
> buffer from mempool.
>
> Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> ---
>  fs/cifs/smb2pdu.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 128e44e57528..6352ab32c7e7 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid,
>         } else if (rc != 0)
>                 goto neg_exit;
>
> +       rc = -EIO;
>         if (strcmp(server->vals->version_string,
>                    SMB3ANY_VERSION_STRING) == 0) {
>                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
>                         cifs_server_dbg(VFS,
>                                 "SMB2 dialect returned but not requested\n");
> -                       return -EIO;
> +                       goto neg_exit;
>                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
>                         cifs_server_dbg(VFS,
>                                 "SMB2.1 dialect returned but not requested\n");
> -                       return -EIO;
> +                       goto neg_exit;
>                 } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
>                         /* ops set to 3.0 by default for default so update */
>                         server->ops = &smb311_operations;
> @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid,
>                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
>                         cifs_server_dbg(VFS,
>                                 "SMB2 dialect returned but not requested\n");
> -                       return -EIO;
> +                       goto neg_exit;
>                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
>                         /* ops set to 3.0 by default for default so update */
>                         server->ops = &smb21_operations;
> @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid,
>                 /* if requested single dialect ensure returned dialect matched */
>                 cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
>                                 le16_to_cpu(rsp->DialectRevision));
> -               return -EIO;
> +               goto neg_exit;
>         }
>
>         cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
> @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid,
>         else {
>                 cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
>                                 le16_to_cpu(rsp->DialectRevision));
> -               rc = -EIO;
>                 goto neg_exit;
>         }
> +
> +       rc = 0;
>         server->dialect = le16_to_cpu(rsp->DialectRevision);
>
>         /*
> --
> 2.35.3
>
Steve French Aug. 31, 2022, 1:06 a.m. UTC | #2
merged into cifs-2.6.git for-next

On Tue, Aug 30, 2022 at 8:05 PM ronnie sahlberg
<ronniesahlberg@gmail.com> wrote:
>
> LGTM
> reviewed-by me
>
> On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@suse.de> wrote:
> >
> > In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
> > the request is sent, the checks would return -EIO when they should be
> > rather setting rc = -EIO and jumping to neg_exit to free the response
> > buffer from mempool.
> >
> > Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> > ---
> >  fs/cifs/smb2pdu.c | 12 +++++++-----
> >  1 file changed, 7 insertions(+), 5 deletions(-)
> >
> > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> > index 128e44e57528..6352ab32c7e7 100644
> > --- a/fs/cifs/smb2pdu.c
> > +++ b/fs/cifs/smb2pdu.c
> > @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid,
> >         } else if (rc != 0)
> >                 goto neg_exit;
> >
> > +       rc = -EIO;
> >         if (strcmp(server->vals->version_string,
> >                    SMB3ANY_VERSION_STRING) == 0) {
> >                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
> >                         cifs_server_dbg(VFS,
> >                                 "SMB2 dialect returned but not requested\n");
> > -                       return -EIO;
> > +                       goto neg_exit;
> >                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
> >                         cifs_server_dbg(VFS,
> >                                 "SMB2.1 dialect returned but not requested\n");
> > -                       return -EIO;
> > +                       goto neg_exit;
> >                 } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
> >                         /* ops set to 3.0 by default for default so update */
> >                         server->ops = &smb311_operations;
> > @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid,
> >                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
> >                         cifs_server_dbg(VFS,
> >                                 "SMB2 dialect returned but not requested\n");
> > -                       return -EIO;
> > +                       goto neg_exit;
> >                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
> >                         /* ops set to 3.0 by default for default so update */
> >                         server->ops = &smb21_operations;
> > @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid,
> >                 /* if requested single dialect ensure returned dialect matched */
> >                 cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
> >                                 le16_to_cpu(rsp->DialectRevision));
> > -               return -EIO;
> > +               goto neg_exit;
> >         }
> >
> >         cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
> > @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid,
> >         else {
> >                 cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
> >                                 le16_to_cpu(rsp->DialectRevision));
> > -               rc = -EIO;
> >                 goto neg_exit;
> >         }
> > +
> > +       rc = 0;
> >         server->dialect = le16_to_cpu(rsp->DialectRevision);
> >
> >         /*
> > --
> > 2.35.3
> >
Steve French Aug. 31, 2022, 1:10 a.m. UTC | #3
and added cc:stable

On Tue, Aug 30, 2022 at 8:06 PM Steve French <smfrench@gmail.com> wrote:
>
> merged into cifs-2.6.git for-next
>
> On Tue, Aug 30, 2022 at 8:05 PM ronnie sahlberg
> <ronniesahlberg@gmail.com> wrote:
> >
> > LGTM
> > reviewed-by me
> >
> > On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@suse.de> wrote:
> > >
> > > In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
> > > the request is sent, the checks would return -EIO when they should be
> > > rather setting rc = -EIO and jumping to neg_exit to free the response
> > > buffer from mempool.
> > >
> > > Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
> > > ---
> > >  fs/cifs/smb2pdu.c | 12 +++++++-----
> > >  1 file changed, 7 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> > > index 128e44e57528..6352ab32c7e7 100644
> > > --- a/fs/cifs/smb2pdu.c
> > > +++ b/fs/cifs/smb2pdu.c
> > > @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid,
> > >         } else if (rc != 0)
> > >                 goto neg_exit;
> > >
> > > +       rc = -EIO;
> > >         if (strcmp(server->vals->version_string,
> > >                    SMB3ANY_VERSION_STRING) == 0) {
> > >                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
> > >                         cifs_server_dbg(VFS,
> > >                                 "SMB2 dialect returned but not requested\n");
> > > -                       return -EIO;
> > > +                       goto neg_exit;
> > >                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
> > >                         cifs_server_dbg(VFS,
> > >                                 "SMB2.1 dialect returned but not requested\n");
> > > -                       return -EIO;
> > > +                       goto neg_exit;
> > >                 } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
> > >                         /* ops set to 3.0 by default for default so update */
> > >                         server->ops = &smb311_operations;
> > > @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid,
> > >                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
> > >                         cifs_server_dbg(VFS,
> > >                                 "SMB2 dialect returned but not requested\n");
> > > -                       return -EIO;
> > > +                       goto neg_exit;
> > >                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
> > >                         /* ops set to 3.0 by default for default so update */
> > >                         server->ops = &smb21_operations;
> > > @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid,
> > >                 /* if requested single dialect ensure returned dialect matched */
> > >                 cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
> > >                                 le16_to_cpu(rsp->DialectRevision));
> > > -               return -EIO;
> > > +               goto neg_exit;
> > >         }
> > >
> > >         cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
> > > @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid,
> > >         else {
> > >                 cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
> > >                                 le16_to_cpu(rsp->DialectRevision));
> > > -               rc = -EIO;
> > >                 goto neg_exit;
> > >         }
> > > +
> > > +       rc = 0;
> > >         server->dialect = le16_to_cpu(rsp->DialectRevision);
> > >
> > >         /*
> > > --
> > > 2.35.3
> > >
>
>
>
> --
> Thanks,
>
> Steve
diff mbox series

Patch

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 128e44e57528..6352ab32c7e7 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -965,16 +965,17 @@  SMB2_negotiate(const unsigned int xid,
 	} else if (rc != 0)
 		goto neg_exit;
 
+	rc = -EIO;
 	if (strcmp(server->vals->version_string,
 		   SMB3ANY_VERSION_STRING) == 0) {
 		if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
 			cifs_server_dbg(VFS,
 				"SMB2 dialect returned but not requested\n");
-			return -EIO;
+			goto neg_exit;
 		} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
 			cifs_server_dbg(VFS,
 				"SMB2.1 dialect returned but not requested\n");
-			return -EIO;
+			goto neg_exit;
 		} else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
 			/* ops set to 3.0 by default for default so update */
 			server->ops = &smb311_operations;
@@ -985,7 +986,7 @@  SMB2_negotiate(const unsigned int xid,
 		if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
 			cifs_server_dbg(VFS,
 				"SMB2 dialect returned but not requested\n");
-			return -EIO;
+			goto neg_exit;
 		} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
 			/* ops set to 3.0 by default for default so update */
 			server->ops = &smb21_operations;
@@ -999,7 +1000,7 @@  SMB2_negotiate(const unsigned int xid,
 		/* if requested single dialect ensure returned dialect matched */
 		cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
 				le16_to_cpu(rsp->DialectRevision));
-		return -EIO;
+		goto neg_exit;
 	}
 
 	cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
@@ -1017,9 +1018,10 @@  SMB2_negotiate(const unsigned int xid,
 	else {
 		cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
 				le16_to_cpu(rsp->DialectRevision));
-		rc = -EIO;
 		goto neg_exit;
 	}
+
+	rc = 0;
 	server->dialect = le16_to_cpu(rsp->DialectRevision);
 
 	/*