Skip to content

Commit 27893df

Browse files
ematsumiyasmfrench
ematsumiya
authored and
smfrench
committed
cifs: fix small mempool leak in SMB2_negotiate()
In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> Cc: stable@vger.kernel.org Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com>
1 parent 3e3761f commit 27893df

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

fs/cifs/smb2pdu.c

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid,
965965
} else if (rc != 0)
966966
goto neg_exit;
967967

968+
rc = -EIO;
968969
if (strcmp(server->vals->version_string,
969970
SMB3ANY_VERSION_STRING) == 0) {
970971
if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
971972
cifs_server_dbg(VFS,
972973
"SMB2 dialect returned but not requested\n");
973-
return -EIO;
974+
goto neg_exit;
974975
} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
975976
cifs_server_dbg(VFS,
976977
"SMB2.1 dialect returned but not requested\n");
977-
return -EIO;
978+
goto neg_exit;
978979
} else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
979980
/* ops set to 3.0 by default for default so update */
980981
server->ops = &smb311_operations;
@@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid,
985986
if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
986987
cifs_server_dbg(VFS,
987988
"SMB2 dialect returned but not requested\n");
988-
return -EIO;
989+
goto neg_exit;
989990
} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
990991
/* ops set to 3.0 by default for default so update */
991992
server->ops = &smb21_operations;
@@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid,
9991000
/* if requested single dialect ensure returned dialect matched */
10001001
cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
10011002
le16_to_cpu(rsp->DialectRevision));
1002-
return -EIO;
1003+
goto neg_exit;
10031004
}
10041005

10051006
cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
@@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid,
10171018
else {
10181019
cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
10191020
le16_to_cpu(rsp->DialectRevision));
1020-
rc = -EIO;
10211021
goto neg_exit;
10221022
}
1023+
1024+
rc = 0;
10231025
server->dialect = le16_to_cpu(rsp->DialectRevision);
10241026

10251027
/*

0 commit comments

Comments
 (0)