CIFS: Fix possible freed pointer dereference in SMB2_sess_setup

and remove redundant (rsp == NULL) checks after SendReceive2. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Steve French <smfrench@gmail.com>

CIFS: Fix possible freed pointer dereference in SMB2_sess_setup
and remove redundant (rsp == NULL) checks after SendReceive2. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Steve French <smfrench@gmail.com>
4ca3a99c · Pavel Shilovsky · Steve French · 760ad0ca · 4ca3a99c
Commit 4ca3a99c authored Sep 25, 2012 by Pavel Shilovsky Committed by Steve French Sep 26, 2012
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 32 deletions

fs/cifs/smb2pdu.c fs/cifs/smb2pdu.c +3 -32

No files found.
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -409,11 +409,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
 	if (rc != 0)
 		goto neg_exit;
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto neg_exit;
-	}
 	cFYI(1, "mode 0x%x", rsp->SecurityMode);
 	if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)
@@ -637,7 +632,8 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
 	kfree(security_blob);
 	rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
-	if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
+	if (resp_buftype != CIFS_NO_BUFFER &&
+	    rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
 		if (phase != NtLmNegotiate) {
 			cERROR(1, "Unexpected more processing error");
 			goto ssetup_exit;
@@ -669,11 +665,6 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
 	if (rc != 0)
 		goto ssetup_exit;
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto ssetup_exit;
-	}
 	ses->session_flags = le16_to_cpu(rsp->SessionFlags);
 ssetup_exit:
 	free_rsp_buf(resp_buftype, rsp);
@@ -793,11 +784,6 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 		goto tcon_error_exit;
 	}
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto tcon_exit;
-	}
 	if (tcon == NULL) {
 		ses->ipc_tid = rsp->hdr.TreeId;
 		goto tcon_exit;
@@ -1046,10 +1032,6 @@ SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path,
 		goto creat_exit;
 	}
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto creat_exit;
-	}
 	*persistent_fid = rsp->PersistentFileId;
 	*volatile_fid = rsp->VolatileFileId;
@@ -1111,11 +1093,6 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
 		goto close_exit;
 	}
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto close_exit;
-	}
 	/* BB FIXME - decode close response, update inode for caching */
 close_exit:
@@ -1950,12 +1927,6 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
 		cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
 		goto out;
 	}
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto out;
-	}
 out:
 	free_rsp_buf(resp_buftype, rsp);
 	kfree(iov);