cifs: free ntlmsspblob allocated in negotiate

One of my previous fixes:
cifs: send workstation name during ntlmssp session setup
...changed the prototype of build_ntlmssp_negotiate_blob
from being allocated by the caller to being allocated within
the function. The caller needs to free this object too.
While SMB2 version of the caller did it, I forgot to free
for the SMB1 version. Fixing that here.

Fixes: 49bd49f983b5 ("cifs: send workstation name during ntlmssp session setup")
Cc: stable@vger.kernel.org # 5.16
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index d12490e..ffaa091 100644 (file)
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -1413,7 +1413,7 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
                                     &blob_len, ses, server,
                                     sess_data->nls_cp);
        if (rc)
-               goto out;
+               goto out_free_ntlmsspblob;
 
        sess_data->iov[1].iov_len = blob_len;
        sess_data->iov[1].iov_base = ntlmsspblob;
@@ -1421,7 +1421,7 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
 
        rc = _sess_auth_rawntlmssp_assemble_req(sess_data);
        if (rc)
-               goto out;
+               goto out_free_ntlmsspblob;
 
        rc = sess_sendreceive(sess_data);
 
@@ -1435,14 +1435,14 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
                rc = 0;
 
        if (rc)
-               goto out;
+               goto out_free_ntlmsspblob;
 
        cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
 
        if (smb_buf->WordCount != 4) {
                rc = -EIO;
                cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount);
-               goto out;
+               goto out_free_ntlmsspblob;
        }
 
        ses->Suid = smb_buf->Uid;   /* UID left in wire format (le) */
@@ -1456,10 +1456,13 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
                cifs_dbg(VFS, "bad security blob length %d\n",
                                blob_len);
                rc = -EINVAL;
-               goto out;
+               goto out_free_ntlmsspblob;
        }
 
        rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
+
+out_free_ntlmsspblob:
+       kfree(ntlmsspblob);
 out:
        sess_free_buffer(sess_data);