Commit 1a2ab0fe authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'v7.1-rc4-ksmbd-server-fixes' of git://git.samba.org/ksmbd 

Pull smb server fixes from Steve French:

 - Fix two null pointer dereferences and a memory leak

* tag 'v7.1-rc4-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix null pointer dereference in compare_guid_key()
  ksmbd: fix null pointer dereference in proc_show_files()
  ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
parents 0c0b282d 4b83cbc4

fs/smb/server/oplock.c

+5 −1
Original line number Diff line number Diff line
@@ -481,8 +481,12 @@ static inline int compare_guid_key(struct oplock_info *opinfo, 
				   const char *guid1, const char *key1)

{

	const char *guid2, *key2;

	struct ksmbd_conn *conn;



	guid2 = opinfo->conn->ClientGUID;

	conn = READ_ONCE(opinfo->conn);

	if (!conn)

		return 0;

	guid2 = conn->ClientGUID;

	key2 = opinfo->o_lease->lease_key;

	if (!memcmp(guid1, guid2, SMB2_CLIENT_GUID_SIZE) &&

	    !memcmp(key1, key2, SMB2_LEASE_KEY_SIZE))

fs/smb/server/smbacl.c

+9 −3
Original line number Diff line number Diff line
@@ -643,8 +643,10 @@ static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap, 
		ntace = (struct smb_ace *)((char *)pndace + *size);

		ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, flags,

				pace->e_perm, 0777);

		if (check_add_overflow(*size, ace_sz, size))

		if (check_add_overflow(*size, ace_sz, size)) {

			kfree(sid);

			break;

		}

		(*num_aces)++;

		if (pace->e_tag == ACL_USER)

			ntace->access_req |=
@@ -655,8 +657,10 @@ static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap, 
			ntace = (struct smb_ace *)((char *)pndace + *size);

			ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED,

					0x03, pace->e_perm, 0777);

			if (check_add_overflow(*size, ace_sz, size))

			if (check_add_overflow(*size, ace_sz, size)) {

				kfree(sid);

				break;

			}

			(*num_aces)++;

			if (pace->e_tag == ACL_USER)

				ntace->access_req |=
@@ -698,8 +702,10 @@ static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap, 
		ntace = (struct smb_ace *)((char *)pndace + *size);

		ace_sz = fill_ace_for_sid(ntace, sid, ACCESS_ALLOWED, 0x0b,

				pace->e_perm, 0777);

		if (check_add_overflow(*size, ace_sz, size))

		if (check_add_overflow(*size, ace_sz, size)) {

			kfree(sid);

			break;

		}

		(*num_aces)++;

		if (pace->e_tag == ACL_USER)

			ntace->access_req |=

fs/smb/server/vfs_cache.c

+1 −1
Original line number Diff line number Diff line
@@ -81,7 +81,7 @@ static int proc_show_files(struct seq_file *m, void *v) 
	read_lock(&global_ft.lock);

	idr_for_each_entry(global_ft.idr, fp, id) {

		seq_printf(m, "%#-10x %#-10llx %#-10llx %#-10x",

			   fp->tcon->id,

			   fp->tcon ? fp->tcon->id : 0,

			   fp->persistent_id,

			   fp->volatile_id,

			   atomic_read(&fp->refcount));