Commit e85dea59 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 

Pull smb client fixes from Steve French:

 - Two fixes for use after free in readdir code paths

* tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: Reset all search buffer pointers when releasing buffer
  smb: client: Fix use-after-free in cifs_fill_dirent
parents 5cdb2c77 e48f9d84

fs/smb/client/readdir.c

+5 −2
Original line number Diff line number Diff line
@@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, 
			else

				cifs_buf_release(cfile->srch_inf.

						ntwrk_buf_start);

			/* Reset all pointers to the network buffer to prevent stale references */

			cfile->srch_inf.ntwrk_buf_start = NULL;

			cfile->srch_inf.srch_entries_start = NULL;

			cfile->srch_inf.last_entry = NULL;

		}

		rc = initiate_cifs_search(xid, file, full_path);

		if (rc) {
@@ -756,11 +759,11 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, 
		rc = server->ops->query_dir_next(xid, tcon, &cfile->fid,

						 search_flags,

						 &cfile->srch_inf);

		if (rc)

			return -ENOENT;

		/* FindFirst/Next set last_entry to NULL on malformed reply */

		if (cfile->srch_inf.last_entry)

			cifs_save_resume_key(cfile->srch_inf.last_entry, cfile);

		if (rc)

			return -ENOENT;

	}

	if (index_to_find < cfile->srch_inf.index_of_last_entry) {

		/* we found the buffer that contains the entry */