diff options
| author | Paulo Alcantara <pc@manguebit.org> | 2026-02-05 13:19:52 -0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-02-08 17:07:42 -0600 |
| commit | ebbbc4bfad4cb355d17c671223d0814ee3ef4eda (patch) | |
| tree | cb9da8233c242380b0448218f5da8c9f3b777501 | |
| parent | 05f7e89ab9731565d8a62e3b5d1ec206485eeb0b (diff) | |
| download | linux-ebbbc4bfad4cb355d17c671223d0814ee3ef4eda.tar.gz linux-ebbbc4bfad4cb355d17c671223d0814ee3ef4eda.zip | |
smb: client: fix potential UAF and double free in smb2_open_file()
Zero out @err_iov and @err_buftype before retrying SMB2_open() to
prevent an UAF bug if @data != NULL, otherwise a double free.
Fixes: e3a43633023e ("smb/client: fix memory leak in smb2_open_file()")
Reported-by: David Howells <dhowells@redhat.com>
Closes: https://lore.kernel.org/r/2892312.1770306653@warthog.procyon.org.uk
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
| -rw-r--r-- | fs/smb/client/smb2file.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c index 2dd08388ea87..1f7f284a7844 100644 --- a/fs/smb/client/smb2file.c +++ b/fs/smb/client/smb2file.c @@ -179,6 +179,8 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, &err_buftype); if (rc == -EACCES && retry_without_read_attributes) { free_rsp_buf(err_buftype, err_iov.iov_base); + memset(&err_iov, 0, sizeof(err_iov)); + err_buftype = CIFS_NO_BUFFER; oparms->desired_access &= ~FILE_READ_ATTRIBUTES; rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, &err_buftype); |