34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From c3eedd3e0d50a748c6c520ba00377aba8150c713 Mon Sep 17 00:00:00 2001
|
|
From: Sean Heelan <seanheelan@gmail.com>
|
|
Date: Mon, 7 Apr 2025 11:26:50 +0000
|
|
Subject: ksmbd: Fix dangling pointer in krb_authenticate
|
|
|
|
krb_authenticate frees sess->user and does not set the pointer
|
|
to NULL. It calls ksmbd_krb5_authenticate to reinitialise
|
|
sess->user but that function may return without doing so. If
|
|
that happens then smb2_sess_setup, which calls krb_authenticate,
|
|
will be accessing free'd memory when it later uses sess->user.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
|
|
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
|
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
---
|
|
fs/smb/server/smb2pdu.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
--- a/fs/smb/server/smb2pdu.c
|
|
+++ b/fs/smb/server/smb2pdu.c
|
|
@@ -1602,8 +1602,10 @@ static int krb5_authenticate(struct ksmb
|
|
if (prev_sess_id && prev_sess_id != sess->id)
|
|
destroy_previous_session(conn, sess->user, prev_sess_id);
|
|
|
|
- if (sess->state == SMB2_SESSION_VALID)
|
|
+ if (sess->state == SMB2_SESSION_VALID) {
|
|
ksmbd_free_user(sess->user);
|
|
+ sess->user = NULL;
|
|
+ }
|
|
|
|
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
|
|
out_blob, &out_len);
|