diff options
author | Pavel Shilovsky <piastry@etersoft.ru> | 2012-09-25 11:00:09 +0400 |
---|---|---|
committer | Steve French <smfrench@gmail.com> | 2012-09-26 22:15:18 -0500 |
commit | 4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9 (patch) | |
tree | 33a25d47a71929f62429ad93ec6b64ef88e9ad76 /fs/cifs/smb2pdu.c | |
parent | 760ad0cac198356c1148cad7531c1a6138322493 (diff) | |
download | linux-3.10-4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9.tar.gz linux-3.10-4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9.tar.bz2 linux-3.10-4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9.zip |
CIFS: Fix possible freed pointer dereference in SMB2_sess_setup
and remove redundant (rsp == NULL) checks after SendReceive2.
Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs/smb2pdu.c')
-rw-r--r-- | fs/cifs/smb2pdu.c | 35 |
1 files changed, 3 insertions, 32 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index a7db95f4760..5ad88b4b999 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -409,11 +409,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) if (rc != 0) goto neg_exit; - if (rsp == NULL) { - rc = -EIO; - goto neg_exit; - } - cFYI(1, "mode 0x%x", rsp->SecurityMode); if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name) @@ -637,13 +632,14 @@ ssetup_ntlmssp_authenticate: kfree(security_blob); rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base; - if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) { + if (resp_buftype != CIFS_NO_BUFFER && + rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) { if (phase != NtLmNegotiate) { cERROR(1, "Unexpected more processing error"); goto ssetup_exit; } if (offsetof(struct smb2_sess_setup_rsp, Buffer) - 4 != - le16_to_cpu(rsp->SecurityBufferOffset)) { + le16_to_cpu(rsp->SecurityBufferOffset)) { cERROR(1, "Invalid security buffer offset %d", le16_to_cpu(rsp->SecurityBufferOffset)); rc = -EIO; @@ -669,11 +665,6 @@ ssetup_ntlmssp_authenticate: if (rc != 0) goto ssetup_exit; - if (rsp == NULL) { - rc = -EIO; - goto ssetup_exit; - } - ses->session_flags = le16_to_cpu(rsp->SessionFlags); ssetup_exit: free_rsp_buf(resp_buftype, rsp); @@ -793,11 +784,6 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, goto tcon_error_exit; } - if (rsp == NULL) { - rc = -EIO; - goto tcon_exit; - } - if (tcon == NULL) { ses->ipc_tid = rsp->hdr.TreeId; goto tcon_exit; @@ -1046,10 +1032,6 @@ SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path, goto creat_exit; } - if (rsp == NULL) { - rc = -EIO; - goto creat_exit; - } *persistent_fid = rsp->PersistentFileId; *volatile_fid = rsp->VolatileFileId; @@ -1111,11 +1093,6 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon, goto close_exit; } - if (rsp == NULL) { - rc = -EIO; - goto close_exit; - } - /* BB FIXME - decode close response, update inode for caching */ close_exit: @@ -1950,12 +1927,6 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE); goto out; } - - if (rsp == NULL) { - rc = -EIO; - goto out; - } - out: free_rsp_buf(resp_buftype, rsp); kfree(iov); |