Message ID | 20220830225151.26201-1-ematsumiya@suse.de |
---|---|
State | New |
Headers | show |
Series | cifs: fix small mempool leak in SMB2_negotiate() | expand |
LGTM reviewed-by me On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@suse.de> wrote: > > In some cases of failure (dialect mismatches) in SMB2_negotiate(), after > the request is sent, the checks would return -EIO when they should be > rather setting rc = -EIO and jumping to neg_exit to free the response > buffer from mempool. > > Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> > --- > fs/cifs/smb2pdu.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 128e44e57528..6352ab32c7e7 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid, > } else if (rc != 0) > goto neg_exit; > > + rc = -EIO; > if (strcmp(server->vals->version_string, > SMB3ANY_VERSION_STRING) == 0) { > if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { > cifs_server_dbg(VFS, > "SMB2 dialect returned but not requested\n"); > - return -EIO; > + goto neg_exit; > } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { > cifs_server_dbg(VFS, > "SMB2.1 dialect returned but not requested\n"); > - return -EIO; > + goto neg_exit; > } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) { > /* ops set to 3.0 by default for default so update */ > server->ops = &smb311_operations; > @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid, > if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { > cifs_server_dbg(VFS, > "SMB2 dialect returned but not requested\n"); > - return -EIO; > + goto neg_exit; > } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { > /* ops set to 3.0 by default for default so update */ > server->ops = &smb21_operations; > @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid, > /* if requested single dialect ensure returned dialect matched */ > cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n", > le16_to_cpu(rsp->DialectRevision)); > - return -EIO; > + goto neg_exit; > } > > cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); > @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid, > else { > cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n", > le16_to_cpu(rsp->DialectRevision)); > - rc = -EIO; > goto neg_exit; > } > + > + rc = 0; > server->dialect = le16_to_cpu(rsp->DialectRevision); > > /* > -- > 2.35.3 >
merged into cifs-2.6.git for-next On Tue, Aug 30, 2022 at 8:05 PM ronnie sahlberg <ronniesahlberg@gmail.com> wrote: > > LGTM > reviewed-by me > > On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@suse.de> wrote: > > > > In some cases of failure (dialect mismatches) in SMB2_negotiate(), after > > the request is sent, the checks would return -EIO when they should be > > rather setting rc = -EIO and jumping to neg_exit to free the response > > buffer from mempool. > > > > Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> > > --- > > fs/cifs/smb2pdu.c | 12 +++++++----- > > 1 file changed, 7 insertions(+), 5 deletions(-) > > > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > > index 128e44e57528..6352ab32c7e7 100644 > > --- a/fs/cifs/smb2pdu.c > > +++ b/fs/cifs/smb2pdu.c > > @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid, > > } else if (rc != 0) > > goto neg_exit; > > > > + rc = -EIO; > > if (strcmp(server->vals->version_string, > > SMB3ANY_VERSION_STRING) == 0) { > > if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { > > cifs_server_dbg(VFS, > > "SMB2 dialect returned but not requested\n"); > > - return -EIO; > > + goto neg_exit; > > } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { > > cifs_server_dbg(VFS, > > "SMB2.1 dialect returned but not requested\n"); > > - return -EIO; > > + goto neg_exit; > > } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) { > > /* ops set to 3.0 by default for default so update */ > > server->ops = &smb311_operations; > > @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid, > > if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { > > cifs_server_dbg(VFS, > > "SMB2 dialect returned but not requested\n"); > > - return -EIO; > > + goto neg_exit; > > } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { > > /* ops set to 3.0 by default for default so update */ > > server->ops = &smb21_operations; > > @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid, > > /* if requested single dialect ensure returned dialect matched */ > > cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n", > > le16_to_cpu(rsp->DialectRevision)); > > - return -EIO; > > + goto neg_exit; > > } > > > > cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); > > @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid, > > else { > > cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n", > > le16_to_cpu(rsp->DialectRevision)); > > - rc = -EIO; > > goto neg_exit; > > } > > + > > + rc = 0; > > server->dialect = le16_to_cpu(rsp->DialectRevision); > > > > /* > > -- > > 2.35.3 > >
and added cc:stable On Tue, Aug 30, 2022 at 8:06 PM Steve French <smfrench@gmail.com> wrote: > > merged into cifs-2.6.git for-next > > On Tue, Aug 30, 2022 at 8:05 PM ronnie sahlberg > <ronniesahlberg@gmail.com> wrote: > > > > LGTM > > reviewed-by me > > > > On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@suse.de> wrote: > > > > > > In some cases of failure (dialect mismatches) in SMB2_negotiate(), after > > > the request is sent, the checks would return -EIO when they should be > > > rather setting rc = -EIO and jumping to neg_exit to free the response > > > buffer from mempool. > > > > > > Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> > > > --- > > > fs/cifs/smb2pdu.c | 12 +++++++----- > > > 1 file changed, 7 insertions(+), 5 deletions(-) > > > > > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > > > index 128e44e57528..6352ab32c7e7 100644 > > > --- a/fs/cifs/smb2pdu.c > > > +++ b/fs/cifs/smb2pdu.c > > > @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid, > > > } else if (rc != 0) > > > goto neg_exit; > > > > > > + rc = -EIO; > > > if (strcmp(server->vals->version_string, > > > SMB3ANY_VERSION_STRING) == 0) { > > > if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { > > > cifs_server_dbg(VFS, > > > "SMB2 dialect returned but not requested\n"); > > > - return -EIO; > > > + goto neg_exit; > > > } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { > > > cifs_server_dbg(VFS, > > > "SMB2.1 dialect returned but not requested\n"); > > > - return -EIO; > > > + goto neg_exit; > > > } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) { > > > /* ops set to 3.0 by default for default so update */ > > > server->ops = &smb311_operations; > > > @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid, > > > if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { > > > cifs_server_dbg(VFS, > > > "SMB2 dialect returned but not requested\n"); > > > - return -EIO; > > > + goto neg_exit; > > > } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { > > > /* ops set to 3.0 by default for default so update */ > > > server->ops = &smb21_operations; > > > @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid, > > > /* if requested single dialect ensure returned dialect matched */ > > > cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n", > > > le16_to_cpu(rsp->DialectRevision)); > > > - return -EIO; > > > + goto neg_exit; > > > } > > > > > > cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); > > > @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid, > > > else { > > > cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n", > > > le16_to_cpu(rsp->DialectRevision)); > > > - rc = -EIO; > > > goto neg_exit; > > > } > > > + > > > + rc = 0; > > > server->dialect = le16_to_cpu(rsp->DialectRevision); > > > > > > /* > > > -- > > > 2.35.3 > > > > > > > -- > Thanks, > > Steve
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 128e44e57528..6352ab32c7e7 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid, } else if (rc != 0) goto neg_exit; + rc = -EIO; if (strcmp(server->vals->version_string, SMB3ANY_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_server_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { cifs_server_dbg(VFS, "SMB2.1 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) { /* ops set to 3.0 by default for default so update */ server->ops = &smb311_operations; @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid, if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_server_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { /* ops set to 3.0 by default for default so update */ server->ops = &smb21_operations; @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid, /* if requested single dialect ensure returned dialect matched */ cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n", le16_to_cpu(rsp->DialectRevision)); - return -EIO; + goto neg_exit; } cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid, else { cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n", le16_to_cpu(rsp->DialectRevision)); - rc = -EIO; goto neg_exit; } + + rc = 0; server->dialect = le16_to_cpu(rsp->DialectRevision); /*
In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> --- fs/cifs/smb2pdu.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)