cifs: fix small mempool leak in SMB2_negotiate()
authorEnzo Matsumiya <ematsumiya@suse.de>
Tue, 30 Aug 2022 22:51:51 +0000 (19:51 -0300)
committerSteve French <stfrench@microsoft.com>
Wed, 31 Aug 2022 01:08:13 +0000 (20:08 -0500)
In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
the request is sent, the checks would return -EIO when they should be
rather setting rc = -EIO and jumping to neg_exit to free the response
buffer from mempool.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Cc: stable@vger.kernel.org
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/cifs/smb2pdu.c

index 128e44e5752802b8d0b0d17b795c77eda899f741..6352ab32c7e7ab7004fa94e75e42bb9897384d1c 100644 (file)
@@ -965,16 +965,17 @@ SMB2_negotiate(const unsigned int xid,
        } else if (rc != 0)
                goto neg_exit;
 
+       rc = -EIO;
        if (strcmp(server->vals->version_string,
                   SMB3ANY_VERSION_STRING) == 0) {
                if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
                        cifs_server_dbg(VFS,
                                "SMB2 dialect returned but not requested\n");
-                       return -EIO;
+                       goto neg_exit;
                } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
                        cifs_server_dbg(VFS,
                                "SMB2.1 dialect returned but not requested\n");
-                       return -EIO;
+                       goto neg_exit;
                } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
                        /* ops set to 3.0 by default for default so update */
                        server->ops = &smb311_operations;
@@ -985,7 +986,7 @@ SMB2_negotiate(const unsigned int xid,
                if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
                        cifs_server_dbg(VFS,
                                "SMB2 dialect returned but not requested\n");
-                       return -EIO;
+                       goto neg_exit;
                } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
                        /* ops set to 3.0 by default for default so update */
                        server->ops = &smb21_operations;
@@ -999,7 +1000,7 @@ SMB2_negotiate(const unsigned int xid,
                /* if requested single dialect ensure returned dialect matched */
                cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
                                le16_to_cpu(rsp->DialectRevision));
-               return -EIO;
+               goto neg_exit;
        }
 
        cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
@@ -1017,9 +1018,10 @@ SMB2_negotiate(const unsigned int xid,
        else {
                cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
                                le16_to_cpu(rsp->DialectRevision));
-               rc = -EIO;
                goto neg_exit;
        }
+
+       rc = 0;
        server->dialect = le16_to_cpu(rsp->DialectRevision);
 
        /*