From patchwork Fri Oct 20 10:20:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: shuwang@redhat.com X-Patchwork-Id: 10019477 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C3AFC602CB for ; Fri, 20 Oct 2017 10:20:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B45FF285F1 for ; Fri, 20 Oct 2017 10:20:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A934728EE0; Fri, 20 Oct 2017 10:20:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 546C4285F1 for ; Fri, 20 Oct 2017 10:20:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752924AbdJTKUm (ORCPT ); Fri, 20 Oct 2017 06:20:42 -0400 Received: from mx1.redhat.com ([209.132.183.28]:7773 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752911AbdJTKUk (ORCPT ); Fri, 20 Oct 2017 06:20:40 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 198A95F7AE; Fri, 20 Oct 2017 10:20:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 198A95F7AE Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=shuwang@redhat.com Received: from d760b8.nay.redhat.com (unknown [10.66.12.134]) by smtp.corp.redhat.com (Postfix) with ESMTP id A939B5D9C1; Fri, 20 Oct 2017 10:20:37 +0000 (UTC) From: shuwang@redhat.com To: sfrench@samba.org Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, chuhu@redhat.com, yizhan@redhat.com, Shu Wang Subject: [PATCH] SMB: fix memory leak in smb3_validate_negotiate Date: Fri, 20 Oct 2017 18:20:33 +0800 Message-Id: <20171020102033.22936-1-shuwang@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 20 Oct 2017 10:20:40 +0000 (UTC) Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Shu Wang Found the issue by kmemleak. The pointer pneg_rsp stores the pointer kmalloced from SMB2_ioctl, and should be release before function return. unreferenced object 0xffff88018c2b1900 (size 32): backtrace: kmemleak_alloc+0x4a/0xa0 __kmalloc+0xec/0x220 SMB2_ioctl+0x27a/0x3c0 [cifs] smb3_validate_negotiate+0x135/0x370 [cifs] SMB2_tcon+0x308/0xae0 [cifs] cifs_put_tcp_session+0x4a5/0x900 [cifs] cifs_mount+0x6f4/0x15f0 [cifs] Signed-off-by: Shu Wang --- fs/cifs/smb2pdu.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6f0e6343c15e..4785ed8e1589 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -727,8 +727,10 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) rsplen); /* relax check since Mac returns max bufsize allowed on ioctl */ - if (rsplen > CIFSMaxBufSize) + if (rsplen > CIFSMaxBufSize) { + kfree(pneg_rsp); return -EIO; + } } /* check validate negotiate info response matches what we got earlier */ @@ -747,10 +749,12 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) /* validate negotiate successful */ cifs_dbg(FYI, "validate negotiate info successful\n"); + kfree(pneg_rsp); return 0; vneg_out: cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); + kfree(pneg_rsp); return -EIO; }