SMB: fix memory leak in smb3_validate_negotiate

Message ID	20171020102033.22936-1-shuwang@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-cifs-owner@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 198A95F7AE From: shuwang@redhat.com To: sfrench@samba.org Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, chuhu@redhat.com, yizhan@redhat.com, Shu Wang <shuwang@redhat.com> Subject: [PATCH] SMB: fix memory leak in smb3_validate_negotiate Date: Fri, 20 Oct 2017 18:20:33 +0800 Message-Id: <20171020102033.22936-1-shuwang@redhat.com> Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk

Message ID

20171020102033.22936-1-shuwang@redhat.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 198A95F7AE
From: shuwang@redhat.com
To: sfrench@samba.org
Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
	linux-kernel@vger.kernel.org, chuhu@redhat.com, yizhan@redhat.com,
	Shu Wang <shuwang@redhat.com>
Subject: [PATCH] SMB: fix memory leak in smb3_validate_negotiate
Date: Fri, 20 Oct 2017 18:20:33 +0800
Message-Id: <20171020102033.22936-1-shuwang@redhat.com>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk

Commit Message

shuwang@redhat.com Oct. 20, 2017, 10:20 a.m. UTC

From: Shu Wang <shuwang@redhat.com>

Found the issue by kmemleak. The pointer pneg_rsp stores the
pointer kmalloced from SMB2_ioctl, and should be release
before function return.

unreferenced object 0xffff88018c2b1900 (size 32):
  backtrace:
    kmemleak_alloc+0x4a/0xa0
    __kmalloc+0xec/0x220
    SMB2_ioctl+0x27a/0x3c0 [cifs]
    smb3_validate_negotiate+0x135/0x370 [cifs]
    SMB2_tcon+0x308/0xae0 [cifs]
    cifs_put_tcp_session+0x4a5/0x900 [cifs]
    cifs_mount+0x6f4/0x15f0 [cifs]

Signed-off-by: Shu Wang <shuwang@redhat.com>
---
 fs/cifs/smb2pdu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

David Disseldorp Oct. 20, 2017, 12:49 p.m. UTC | #1

> From: Shu Wang <shuwang@redhat.com>
> 
> Found the issue by kmemleak. The pointer pneg_rsp stores the
> pointer kmalloced from SMB2_ioctl, and should be release
> before function return.

Thanks for the patch, Shu Wang. A fix for this memory leak is already
queued at https://bugzilla.samba.org/show_bug.cgi?id=13092 , alongside
an extra fix for potential use of uninitialised memory. Patches to
follow...

Cheers, David
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6f0e6343c15e..4785ed8e1589 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -727,8 +727,10 @@  int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 			 rsplen);
 
 		/* relax check since Mac returns max bufsize allowed on ioctl */
-		if (rsplen > CIFSMaxBufSize)
+		if (rsplen > CIFSMaxBufSize) {
+			kfree(pneg_rsp);
 			return -EIO;
+		}
 	}
 
 	/* check validate negotiate info response matches what we got earlier */
@@ -747,10 +749,12 @@  int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
 
 	/* validate negotiate successful */
 	cifs_dbg(FYI, "validate negotiate info successful\n");
+	kfree(pneg_rsp);
 	return 0;
 
 vneg_out:
 	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+	kfree(pneg_rsp);
 	return -EIO;
 }