Commit 1e689a56 authored by Marios Makassikis's avatar Marios Makassikis Committed by Steve French
Browse files

smb: server: fix use-after-free in smb2_open() 



The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
dereferenced after rcu_read_unlock(), creating a use-after-free
window.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarMarios Makassikis <mmakassikis@freebox.fr>
Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent eac3361e

fs/smb/server/smb2pdu.c

+2 −3
Original line number Diff line number Diff line
@@ -3617,10 +3617,8 @@ int smb2_open(struct ksmbd_work *work) 


reconnected_fp:

	rsp->StructureSize = cpu_to_le16(89);

	rcu_read_lock();

	opinfo = rcu_dereference(fp->f_opinfo);

	opinfo = opinfo_get(fp);

	rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;

	rcu_read_unlock();

	rsp->Flags = 0;

	rsp->CreateAction = cpu_to_le32(file_info);

	rsp->CreationTime = cpu_to_le64(fp->create_time);
@@ -3661,6 +3659,7 @@ int smb2_open(struct ksmbd_work *work) 
		next_ptr = &lease_ccontext->Next;

		next_off = conn->vals->create_lease_size;

	}

	opinfo_put(opinfo);



	if (maximal_access_ctxt) {

		struct create_context *mxac_ccontext;