> From: "David Disseldorp" <ddiss@xxxxxxx>
> To: "Shu Wang" <shuwang@xxxxxxxxxx>, sfrench@xxxxxxxxx, linux-cifs@xxxxxxxxxxxxxxx, samba-technical@xxxxxxxxxxxxxxx
> Cc: "David Disseldorp" <ddiss@xxxxxxx>
> Sent: Friday, October 20, 2017 8:49:37 PM
> Subject: [PATCH 1/2] SMB: fix leak of validate negotiate info response buffer
>
> Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks")
> Signed-off-by: David Disseldorp <ddiss@xxxxxxx>
> ---
> fs/cifs/smb2pdu.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 6f0e6343c15e..052ab5dee6b6 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -648,7 +648,7 @@ int smb3_validate_negotiate(const unsigned int xid,
> struct cifs_tcon *tcon)
> {
> int rc = 0;
> struct validate_negotiate_info_req vneg_inbuf;
> - struct validate_negotiate_info_rsp *pneg_rsp;
> + struct validate_negotiate_info_rsp *pneg_rsp = NULL;
> u32 rsplen;
> u32 inbuflen; /* max of 4 dialects */
>
SMB2_ioctl will set pneg_rsp pointer to NULL, so it won't really
cause any issue. Anyway, looks good to me.
1879 SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
1880 >--- u64 volatile_fid, u32 opcode, bool is_fsctl, bool use_ipc,
1881 >--- char *in_data, u32 indatalen,
1882 >--- char **out_data, u32 *plen /* returned data len */)
1883 {
........
1897 >---if (out_data != NULL)
1898 >--->---*out_data = NULL;
1899
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
