Commit 1e440d5b authored Apr 07, 2025 by Sean Heelan Committed by Steve French Apr 14, 2025

ksmbd: Fix dangling pointer in krb_authenticate



krb_authenticate frees sess->user and does not set the pointer
to NULL. It calls ksmbd_krb5_authenticate to reinitialise
sess->user but that function may return without doing so. If
that happens then smb2_sess_setup, which calls krb_authenticate,
will be accessing free'd memory when it later uses sess->user.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 8ffd015d

fs/smb/server/smb2pdu.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1602,8 +1602,10 @@ static int krb5_authenticate(struct ksmbd_work *work,
		if (prev_sess_id && prev_sess_id != sess->id)
		destroy_previous_session(conn, sess->user, prev_sess_id);

		if (sess->state == SMB2_SESSION_VALID)
		if (sess->state == SMB2_SESSION_VALID) {
		ksmbd_free_user(sess->user);
		sess->user = NULL;
		}

		retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
		out_blob, &out_len);