cifs: fix leak in FSCTL_ENUM_SNAPS response handling

The server may respond with success, and an output buffer less than sizeof(struct smb_snapshot_array) in length. Do not leak the output buffer in this case. Fixes: 834170c8 ("Enable previous version support") Signed-off-by: David Disseldorp <ddiss@suse.de> CC: Stable <stable@vger.kernel.org> Signed-off-by: Steve French <smfrench@gmail.com>

cifs: fix leak in FSCTL_ENUM_SNAPS response handling
The server may respond with success, and an output buffer less than sizeof(struct smb_snapshot_array) in length. Do not leak the output buffer in this case. Fixes: 834170c8 ("Enable previous version support") Signed-off-by: David Disseldorp <ddiss@suse.de> CC: Stable <stable@vger.kernel.org> Signed-off-by: Steve French <smfrench@gmail.com>
0e5c7955 · David Disseldorp · Steve French · 26c9cb66 · 0e5c7955
Commit 0e5c7955 authored May 03, 2017 by David Disseldorp Committed by Steve French May 03, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

fs/cifs/smb2ops.c fs/cifs/smb2ops.c +1 -0

No files found.
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -942,6 +942,7 @@ smb3_enum_snapshots(const unsigned int xid, struct cifs_tcon *tcon,
 		}
 		if (snapshot_in.snapshot_array_size < sizeof(struct smb_snapshot_array)) {
 			rc = -ERANGE;
+			kfree(retbuf);
 			return rc;
 		}