Commit 4ca3a99c authored by Pavel Shilovsky's avatar Pavel Shilovsky Committed by Steve French

CIFS: Fix possible freed pointer dereference in SMB2_sess_setup

and remove redundant (rsp == NULL) checks after SendReceive2.
Signed-off-by: default avatarPavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 760ad0ca
......@@ -409,11 +409,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
if (rc != 0)
goto neg_exit;
if (rsp == NULL) {
rc = -EIO;
goto neg_exit;
}
cFYI(1, "mode 0x%x", rsp->SecurityMode);
if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)
......@@ -637,13 +632,14 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
kfree(security_blob);
rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
if (resp_buftype != CIFS_NO_BUFFER &&
rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
if (phase != NtLmNegotiate) {
cERROR(1, "Unexpected more processing error");
goto ssetup_exit;
}
if (offsetof(struct smb2_sess_setup_rsp, Buffer) - 4 !=
le16_to_cpu(rsp->SecurityBufferOffset)) {
le16_to_cpu(rsp->SecurityBufferOffset)) {
cERROR(1, "Invalid security buffer offset %d",
le16_to_cpu(rsp->SecurityBufferOffset));
rc = -EIO;
......@@ -669,11 +665,6 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
if (rc != 0)
goto ssetup_exit;
if (rsp == NULL) {
rc = -EIO;
goto ssetup_exit;
}
ses->session_flags = le16_to_cpu(rsp->SessionFlags);
ssetup_exit:
free_rsp_buf(resp_buftype, rsp);
......@@ -793,11 +784,6 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
goto tcon_error_exit;
}
if (rsp == NULL) {
rc = -EIO;
goto tcon_exit;
}
if (tcon == NULL) {
ses->ipc_tid = rsp->hdr.TreeId;
goto tcon_exit;
......@@ -1046,10 +1032,6 @@ SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path,
goto creat_exit;
}
if (rsp == NULL) {
rc = -EIO;
goto creat_exit;
}
*persistent_fid = rsp->PersistentFileId;
*volatile_fid = rsp->VolatileFileId;
......@@ -1111,11 +1093,6 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
goto close_exit;
}
if (rsp == NULL) {
rc = -EIO;
goto close_exit;
}
/* BB FIXME - decode close response, update inode for caching */
close_exit:
......@@ -1950,12 +1927,6 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
goto out;
}
if (rsp == NULL) {
rc = -EIO;
goto out;
}
out:
free_rsp_buf(resp_buftype, rsp);
kfree(iov);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment