Skip to content

Commit 9d874c3

Browse files
Ronnie SahlbergSteve French
Ronnie Sahlberg
authored and
Steve French
committed
cifs: fix a buffer leak in smb2_query_symlink
This leak was introduced in 91cb74f and caused us to leak one small buffer for every symlink query. Signed-off-by: Ronnie Sahlberg <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent c7c137b commit 9d874c3

File tree

6 files changed

+39
-29
lines changed

6 files changed

+39
-29
lines changed

fs/cifs/link.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,8 @@ smb3_query_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
421421
return -ENOMEM;
422422
}
423423

424-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, pfile_info, NULL);
424+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, pfile_info, NULL,
425+
NULL);
425426
if (rc)
426427
goto qmf_out_open_fail;
427428

@@ -478,7 +479,8 @@ smb3_create_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
478479
oparms.fid = &fid;
479480
oparms.reconnect = false;
480481

481-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
482+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL,
483+
NULL);
482484
if (rc) {
483485
kfree(utf16_path);
484486
return rc;

fs/cifs/smb2file.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,8 @@ smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
6464
if (oparms->tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_LEASING)
6565
memcpy(smb2_oplock + 1, fid->lease_key, SMB2_LEASE_KEY_SIZE);
6666

67-
rc = SMB2_open(xid, oparms, smb2_path, smb2_oplock, smb2_data, NULL);
67+
rc = SMB2_open(xid, oparms, smb2_path, smb2_oplock, smb2_data, NULL,
68+
NULL);
6869
if (rc)
6970
goto out;
7071

fs/cifs/smb2inode.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,8 @@ smb2_open_op_close(const unsigned int xid, struct cifs_tcon *tcon,
7171
oparms.fid = &fid;
7272
oparms.reconnect = false;
7373

74-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
74+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL,
75+
NULL);
7576
if (rc) {
7677
kfree(utf16_path);
7778
return rc;

fs/cifs/smb2ops.c

Lines changed: 28 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -348,7 +348,7 @@ int open_shroot(unsigned int xid, struct cifs_tcon *tcon, struct cifs_fid *pfid)
348348
oparams.fid = pfid;
349349
oparams.reconnect = false;
350350

351-
rc = SMB2_open(xid, &oparams, &srch_path, &oplock, NULL, NULL);
351+
rc = SMB2_open(xid, &oparams, &srch_path, &oplock, NULL, NULL, NULL);
352352
if (rc == 0) {
353353
memcpy(tcon->prfid, pfid, sizeof(struct cifs_fid));
354354
tcon->valid_root_fid = true;
@@ -375,7 +375,8 @@ smb3_qfs_tcon(const unsigned int xid, struct cifs_tcon *tcon)
375375
oparms.reconnect = false;
376376

377377
if (no_cached_open)
378-
rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL);
378+
rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL,
379+
NULL);
379380
else
380381
rc = open_shroot(xid, tcon, &fid);
381382

@@ -413,7 +414,7 @@ smb2_qfs_tcon(const unsigned int xid, struct cifs_tcon *tcon)
413414
oparms.fid = &fid;
414415
oparms.reconnect = false;
415416

416-
rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL);
417+
rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL, NULL);
417418
if (rc)
418419
return;
419420

@@ -449,7 +450,7 @@ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon,
449450
oparms.fid = &fid;
450451
oparms.reconnect = false;
451452

452-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
453+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, NULL);
453454
if (rc) {
454455
kfree(utf16_path);
455456
return rc;
@@ -598,7 +599,7 @@ smb2_query_eas(const unsigned int xid, struct cifs_tcon *tcon,
598599
oparms.fid = &fid;
599600
oparms.reconnect = false;
600601

601-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
602+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, NULL);
602603
kfree(utf16_path);
603604
if (rc) {
604605
cifs_dbg(FYI, "open failed rc=%d\n", rc);
@@ -677,7 +678,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
677678
oparms.fid = &fid;
678679
oparms.reconnect = false;
679680

680-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
681+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, NULL);
681682
kfree(utf16_path);
682683
if (rc) {
683684
cifs_dbg(FYI, "open failed rc=%d\n", rc);
@@ -1261,7 +1262,7 @@ smb2_query_dir_first(const unsigned int xid, struct cifs_tcon *tcon,
12611262
oparms.fid = fid;
12621263
oparms.reconnect = false;
12631264

1264-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
1265+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, NULL);
12651266
kfree(utf16_path);
12661267
if (rc) {
12671268
cifs_dbg(FYI, "open dir failed rc=%d\n", rc);
@@ -1361,7 +1362,7 @@ smb2_queryfs(const unsigned int xid, struct cifs_tcon *tcon,
13611362
oparms.fid = &fid;
13621363
oparms.reconnect = false;
13631364

1364-
rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL);
1365+
rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL, NULL);
13651366
if (rc)
13661367
return rc;
13671368
buf->f_type = SMB2_MAGIC_NUMBER;
@@ -1515,7 +1516,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
15151516
struct cifs_open_parms oparms;
15161517
struct cifs_fid fid;
15171518
struct kvec err_iov = {NULL, 0};
1518-
struct smb2_err_rsp *err_buf;
1519+
struct smb2_err_rsp *err_buf = NULL;
1520+
int resp_buftype;
15191521
struct smb2_symlink_err_rsp *symlink;
15201522
unsigned int sub_len;
15211523
unsigned int sub_offset;
@@ -1535,18 +1537,18 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
15351537
oparms.fid = &fid;
15361538
oparms.reconnect = false;
15371539

1538-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_iov);
1539-
1540+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_iov,
1541+
&resp_buftype);
15401542
if (!rc || !err_iov.iov_base) {
1541-
kfree(utf16_path);
1542-
return -ENOENT;
1543+
rc = -ENOENT;
1544+
goto querty_exit;
15431545
}
15441546

15451547
err_buf = err_iov.iov_base;
15461548
if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct smb2_symlink_err_rsp) ||
15471549
err_iov.iov_len < SMB2_SYMLINK_STRUCT_SIZE) {
1548-
kfree(utf16_path);
1549-
return -ENOENT;
1550+
rc = -ENOENT;
1551+
goto querty_exit;
15501552
}
15511553

15521554
/* open must fail on symlink - reset rc */
@@ -1558,25 +1560,28 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
15581560
print_offset = le16_to_cpu(symlink->PrintNameOffset);
15591561

15601562
if (err_iov.iov_len < SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) {
1561-
kfree(utf16_path);
1562-
return -ENOENT;
1563+
rc = -ENOENT;
1564+
goto querty_exit;
15631565
}
15641566

15651567
if (err_iov.iov_len <
15661568
SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) {
1567-
kfree(utf16_path);
1568-
return -ENOENT;
1569+
rc = -ENOENT;
1570+
goto querty_exit;
15691571
}
15701572

15711573
*target_path = cifs_strndup_from_utf16(
15721574
(char *)symlink->PathBuffer + sub_offset,
15731575
sub_len, true, cifs_sb->local_nls);
15741576
if (!(*target_path)) {
1575-
kfree(utf16_path);
1576-
return -ENOMEM;
1577+
rc = -ENOMEM;
1578+
goto querty_exit;
15771579
}
15781580
convert_delimiter(*target_path, '/');
15791581
cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
1582+
1583+
querty_exit:
1584+
free_rsp_buf(resp_buftype, err_buf);
15801585
kfree(utf16_path);
15811586
return rc;
15821587
}
@@ -1649,7 +1654,7 @@ get_smb2_acl_by_path(struct cifs_sb_info *cifs_sb,
16491654
oparms.fid = &fid;
16501655
oparms.reconnect = false;
16511656

1652-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
1657+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, NULL);
16531658
kfree(utf16_path);
16541659
if (!rc) {
16551660
rc = SMB2_query_acl(xid, tlink_tcon(tlink), fid.persistent_fid,
@@ -1712,7 +1717,7 @@ set_smb2_acl(struct cifs_ntsd *pnntsd, __u32 acllen,
17121717
oparms.fid = &fid;
17131718
oparms.reconnect = false;
17141719

1715-
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
1720+
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, NULL);
17161721
kfree(utf16_path);
17171722
if (!rc) {
17181723
rc = SMB2_set_acl(xid, tlink_tcon(tlink), fid.persistent_fid,

fs/cifs/smb2pdu.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1889,7 +1889,7 @@ alloc_path_with_tree_prefix(__le16 **out_path, int *out_size, int *out_len,
18891889
int
18901890
SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
18911891
__u8 *oplock, struct smb2_file_all_info *buf,
1892-
struct kvec *err_iov)
1892+
struct kvec *err_iov, int *buftype)
18931893
{
18941894
struct smb2_create_req *req;
18951895
struct smb2_create_rsp *rsp;
@@ -2052,6 +2052,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
20522052
cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
20532053
if (err_iov && rsp) {
20542054
*err_iov = rsp_iov;
2055+
*buftype = resp_buftype;
20552056
resp_buftype = CIFS_NO_BUFFER;
20562057
rsp = NULL;
20572058
}

fs/cifs/smb2proto.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@ extern int SMB2_tdis(const unsigned int xid, struct cifs_tcon *tcon);
125125
extern int SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms,
126126
__le16 *path, __u8 *oplock,
127127
struct smb2_file_all_info *buf,
128-
struct kvec *err_iov);
128+
struct kvec *err_iov, int *resp_buftype);
129129
extern int SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon,
130130
u64 persistent_fid, u64 volatile_fid, u32 opcode,
131131
bool is_fsctl, char *in_data, u32 indatalen,

0 commit comments

Comments
 (0)