Commit 7ac5b66a authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: fix null pointer dereference in destroy_previous_session 



If client set ->PreviousSessionId on kerberos session setup stage,
NULL pointer dereference error will happen. Since sess->user is not
set yet, It can pass the user argument as NULL to destroy_previous_session.
sess->user will be set in ksmbd_krb5_authenticate(). So this patch move
calling destroy_previous_session() after ksmbd_krb5_authenticate().

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent a89f5fae

fs/smb/server/smb2pdu.c

+6 −5
Original line number Diff line number Diff line
@@ -1607,17 +1607,18 @@ static int krb5_authenticate(struct ksmbd_work *work, 
	out_len = work->response_sz -

		(le16_to_cpu(rsp->SecurityBufferOffset) + 4);



	/* Check previous session */

	prev_sess_id = le64_to_cpu(req->PreviousSessionId);

	if (prev_sess_id && prev_sess_id != sess->id)

		destroy_previous_session(conn, sess->user, prev_sess_id);



	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,

					 out_blob, &out_len);

	if (retval) {

		ksmbd_debug(SMB, "krb5 authentication failed\n");

		return -EINVAL;

	}



	/* Check previous session */

	prev_sess_id = le64_to_cpu(req->PreviousSessionId);

	if (prev_sess_id && prev_sess_id != sess->id)

		destroy_previous_session(conn, sess->user, prev_sess_id);



	rsp->SecurityBufferLength = cpu_to_le16(out_len);



	if ((conn->sign || server_conf.enforced_signing) ||