niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

ksmbd: fix use-after-free in smb2_lock

Browse source 
If smb_lock->zero_len has value, ->llist of smb_lock is not delete and
flock is old one. It will cause use-after-free on error handling
routine.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
Namjae Jeon 2025-02-26 15:44:02 +09:00 committed by Steve French
parent e2ff19f0b7
commit 84d2d1641b
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
fs/smb/server/smb2pdu.c
View file

@ -7458,13 +7458,13 @@ out_check_cl:
}
no_check_cl:
flock = smb_lock->fl;
list_del(&smb_lock->llist);
if (smb_lock->zero_len) {
err = 0;
goto skip;
}
flock = smb_lock->fl;
list_del(&smb_lock->llist);
retry:
rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
skip: