Patch "smb: client: fix potential NULL deref in parse_dfs_referrals()" has been added to the 6.6-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 11 Dec 2023 13:57:47 +0100

This is a note to let you know that I've just added the patch titled

    smb: client: fix potential NULL deref in parse_dfs_referrals()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     smb-client-fix-potential-null-deref-in-parse_dfs_referrals.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 92414333eb375ed64f4ae92d34d579e826936480 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@xxxxxxxxxxxxx>
Date: Tue, 5 Dec 2023 21:49:29 -0300
Subject: smb: client: fix potential NULL deref in parse_dfs_referrals()

From: Paulo Alcantara <pc@xxxxxxxxxxxxx>

commit 92414333eb375ed64f4ae92d34d579e826936480 upstream.

If server returned no data for FSCTL_DFS_GET_REFERRALS, @dfs_rsp will
remain NULL and then parse_dfs_referrals() will dereference it.

Fix this by returning -EIO when no output data is returned.

Besides, we can't fix it in SMB2_ioctl() as some FSCTLs are allowed to
return no data as per MS-SMB2 2.2.32.

Fixes: 9d49640a21bf ("CIFS: implement get_dfs_refer for SMB2+")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Robert Morris <rtm@xxxxxxxxxxxxx>
Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/smb/client/smb2ops.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -2834,6 +2834,8 @@ smb2_get_dfs_refer(const unsigned int xi
 		usleep_range(512, 2048);
 	} while (++retry_count < 5);
 
+	if (!rc && !dfs_rsp)
+		rc = -EIO;
 	if (rc) {
 		if (!is_retryable_error(rc) && rc != -ENOENT && rc != -EOPNOTSUPP)
 			cifs_tcon_dbg(VFS, "%s: ioctl error: rc=%d\n", __func__, rc);


Patches currently in stable-queue which might be from pc@xxxxxxxxxxxxx are

queue-6.6/cifs-fix-flushing-invalidation-and-file-size-with-copy_file_range.patch
queue-6.6/cifs-fix-flushing-invalidation-and-file-size-with-ficlone.patch
queue-6.6/smb-client-fix-potential-null-deref-in-parse_dfs_referrals.patch







