Patch "ksmbd: fix memory leak in smb2_handle_negotiate" has been added to the 5.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 13 Aug 2022 16:36:17 +0200

This is a note to let you know that I've just added the patch titled

    ksmbd: fix memory leak in smb2_handle_negotiate

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From aa7253c2393f6dcd6a1468b0792f6da76edad917 Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Thu, 28 Jul 2022 21:56:19 +0900
Subject: ksmbd: fix memory leak in smb2_handle_negotiate

From: Namjae Jeon <linkinjeon@xxxxxxxxxx>

commit aa7253c2393f6dcd6a1468b0792f6da76edad917 upstream.

The allocated memory didn't free under an error
path in smb2_handle_negotiate().

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: zdi-disclosures@xxxxxxxxxxxxxx # ZDI-CAN-17815
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Reviewed-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/ksmbd/smb2pdu.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1139,12 +1139,16 @@ int smb2_handle_negotiate(struct ksmbd_w
 			       status);
 			rsp->hdr.Status = status;
 			rc = -EINVAL;
+			kfree(conn->preauth_info);
+			conn->preauth_info = NULL;
 			goto err_out;
 		}
 
 		rc = init_smb3_11_server(conn);
 		if (rc < 0) {
 			rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+			kfree(conn->preauth_info);
+			conn->preauth_info = NULL;
 			goto err_out;
 		}
 


Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxxx are

queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch
queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch
queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch
queue-5.19/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch
queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch
queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch






