ksmbd: fix kfree of uninitialized pointer oid

Currently function ksmbd_neg_token_init_mech_type can kfree an
uninitialized pointer oid when the call to asn1_oid_decode fails when
vlen is out of range. All the other failure cases in function
asn1_oid_decode set *oid to NULL on an error, so fix the issue by
ensuring the vlen out of range error also nullifies the pointer.

Addresses-Coverity: ("Uninitialized pointer read")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c
index 2c63a3e..b014f46 100644 (file)
--- a/fs/cifsd/asn1.c
+++ b/fs/cifsd/asn1.c
@@ -66,7 +66,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen,
 
        vlen += 1;
        if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long))
-               return false;
+               goto fail_nullify;
 
        *oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL);
        if (!*oid)
@@ -102,6 +102,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen,
 
 fail:
        kfree(*oid);
+fail_nullify:
        *oid = NULL;
        return false;
 }