Skip to content

Commit 7ac5b66

Browse files
namjaejeonSteve French
namjaejeon
authored and
Steve French
committed
ksmbd: fix null pointer dereference in destroy_previous_session
If client set ->PreviousSessionId on kerberos session setup stage, NULL pointer dereference error will happen. Since sess->user is not set yet, It can pass the user argument as NULL to destroy_previous_session. sess->user will be set in ksmbd_krb5_authenticate(). So this patch move calling destroy_previous_session() after ksmbd_krb5_authenticate(). Cc: [email protected] Reported-by: [email protected] # ZDI-CAN-27391 Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent a89f5fa commit 7ac5b66

File tree

1 file changed

+6
-5
lines changed

1 file changed

+6
-5
lines changed

fs/smb/server/smb2pdu.c

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1607,17 +1607,18 @@ static int krb5_authenticate(struct ksmbd_work *work,
16071607
out_len = work->response_sz -
16081608
(le16_to_cpu(rsp->SecurityBufferOffset) + 4);
16091609

1610-
/* Check previous session */
1611-
prev_sess_id = le64_to_cpu(req->PreviousSessionId);
1612-
if (prev_sess_id && prev_sess_id != sess->id)
1613-
destroy_previous_session(conn, sess->user, prev_sess_id);
1614-
16151610
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
16161611
out_blob, &out_len);
16171612
if (retval) {
16181613
ksmbd_debug(SMB, "krb5 authentication failed\n");
16191614
return -EINVAL;
16201615
}
1616+
1617+
/* Check previous session */
1618+
prev_sess_id = le64_to_cpu(req->PreviousSessionId);
1619+
if (prev_sess_id && prev_sess_id != sess->id)
1620+
destroy_previous_session(conn, sess->user, prev_sess_id);
1621+
16211622
rsp->SecurityBufferLength = cpu_to_le16(out_len);
16221623

16231624
if ((conn->sign || server_conf.enforced_signing) ||

0 commit comments

Comments
 (0)