Re: [PATCH] cifs: fix small mempool leak in SMB2_negotiate()

ronnie sahlberg <ronniesahlberg@xxxxxxxxx> · Wed, 31 Aug 2022 11:04:58 +1000



LGTM
reviewed-by me

On Wed, 31 Aug 2022 at 08:51, Enzo Matsumiya <ematsumiya@xxxxxxx> wrote:
>
> In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
> the request is sent, the checks would return -EIO when they should be
> rather setting rc = -EIO and jumping to neg_exit to free the response
> buffer from mempool.
>
> Signed-off-by: Enzo Matsumiya <ematsumiya@xxxxxxx>
> ---
>  fs/cifs/smb2pdu.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 128e44e57528..6352ab32c7e7 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid,
>         } else if (rc != 0)
>                 goto neg_exit;
>
> +       rc = -EIO;
>         if (strcmp(server->vals->version_string,
>                    SMB3ANY_VERSION_STRING) == 0) {
>                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
>                         cifs_server_dbg(VFS,
>                                 "SMB2 dialect returned but not requested\n");
> -                       return -EIO;
> +                       goto neg_exit;
>                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
>                         cifs_server_dbg(VFS,
>                                 "SMB2.1 dialect returned but not requested\n");
> -                       return -EIO;
> +                       goto neg_exit;
>                 } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
>                         /* ops set to 3.0 by default for default so update */
>                         server->ops = &smb311_operations;
> @@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid,
>                 if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
>                         cifs_server_dbg(VFS,
>                                 "SMB2 dialect returned but not requested\n");
> -                       return -EIO;
> +                       goto neg_exit;
>                 } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
>                         /* ops set to 3.0 by default for default so update */
>                         server->ops = &smb21_operations;
> @@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid,
>                 /* if requested single dialect ensure returned dialect matched */
>                 cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
>                                 le16_to_cpu(rsp->DialectRevision));
> -               return -EIO;
> +               goto neg_exit;
>         }
>
>         cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
> @@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid,
>         else {
>                 cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
>                                 le16_to_cpu(rsp->DialectRevision));
> -               rc = -EIO;
>                 goto neg_exit;
>         }
> +
> +       rc = 0;
>         server->dialect = le16_to_cpu(rsp->DialectRevision);
>
>         /*
> --
> 2.35.3
>