Commit 048efe12 authored by Paulo Alcantara's avatar Paulo Alcantara Committed by Steve French
Browse files

smb: client: fix oops due to uninitialised var in smb2_unlink() 



If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the
iovs set @rqst will be left uninitialised, hence calling
SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will
oops.

Fix this by initialising @close_iov and @open_iov before setting them
in @rqst.

Reported-by: default avatarThiago Becker <tbecker@redhat.com>
Fixes: 1cf9f2a6 ("smb: client: handle unlink(2) of files open by different clients")
Signed-off-by: default avatarPaulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 340cea84

fs/smb/client/smb2inode.c

+3 −1
Original line number Diff line number Diff line
@@ -1216,6 +1216,7 @@ smb2_unlink(const unsigned int xid, struct cifs_tcon *tcon, const char *name, 
	memset(resp_buftype, 0, sizeof(resp_buftype));

	memset(rsp_iov, 0, sizeof(rsp_iov));



	memset(open_iov, 0, sizeof(open_iov));

	rqst[0].rq_iov = open_iov;

	rqst[0].rq_nvec = ARRAY_SIZE(open_iov);
@@ -1240,14 +1241,15 @@ smb2_unlink(const unsigned int xid, struct cifs_tcon *tcon, const char *name, 
	creq = rqst[0].rq_iov[0].iov_base;

	creq->ShareAccess = FILE_SHARE_DELETE_LE;



	memset(&close_iov, 0, sizeof(close_iov));

	rqst[1].rq_iov = &close_iov;

	rqst[1].rq_nvec = 1;



	rc = SMB2_close_init(tcon, server, &rqst[1],

			     COMPOUND_FID, COMPOUND_FID, false);

	smb2_set_related(&rqst[1]);

	if (rc)

		goto err_free;

	smb2_set_related(&rqst[1]);



	if (retries) {

		/* Back-off before retry */