Commit b8fc56fb authored Nov 04, 2024 by Namjae Jeon

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp



ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
It will avoid freeing session before calling smb3_preauth_hash_rsp().

Cc: stable@vger.kernel.org # v5.15+
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 0a77715d

fs/smb/server/server.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -238,11 +238,11 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
		} while (is_chained == true);

		send:
		if (work->sess)
		ksmbd_user_session_put(work->sess);
		if (work->tcon)
		ksmbd_tree_connect_put(work->tcon);
		smb3_preauth_hash_rsp(work);
		if (work->sess)
		ksmbd_user_session_put(work->sess);
		if (work->sess && work->sess->enc && work->encrypted &&
		conn->ops->encrypt_resp) {
		rc = conn->ops->encrypt_resp(work);