aboutsummaryrefslogtreecommitdiffstats
path: root/fs/cifs/smb2pdu.c
diff options
context:
space:
mode:
authorPavel Shilovsky <piastry@etersoft.ru>2012-09-25 11:00:09 +0400
committerSteve French <smfrench@gmail.com>2012-09-26 22:15:18 -0500
commit4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9 (patch)
tree33a25d47a71929f62429ad93ec6b64ef88e9ad76 /fs/cifs/smb2pdu.c
parent760ad0cac198356c1148cad7531c1a6138322493 (diff)
downloadkernel_goldelico_gta04-4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9.zip
kernel_goldelico_gta04-4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9.tar.gz
kernel_goldelico_gta04-4ca3a99ca4bf8f5dcfc4fef4f2b1d8322bb60ad9.tar.bz2
CIFS: Fix possible freed pointer dereference in SMB2_sess_setup
and remove redundant (rsp == NULL) checks after SendReceive2. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs/smb2pdu.c')
-rw-r--r--fs/cifs/smb2pdu.c35
1 files changed, 3 insertions, 32 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index a7db95f..5ad88b4b 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -409,11 +409,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
if (rc != 0)
goto neg_exit;
- if (rsp == NULL) {
- rc = -EIO;
- goto neg_exit;
- }
-
cFYI(1, "mode 0x%x", rsp->SecurityMode);
if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)
@@ -637,13 +632,14 @@ ssetup_ntlmssp_authenticate:
kfree(security_blob);
rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
- if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
+ if (resp_buftype != CIFS_NO_BUFFER &&
+ rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
if (phase != NtLmNegotiate) {
cERROR(1, "Unexpected more processing error");
goto ssetup_exit;
}
if (offsetof(struct smb2_sess_setup_rsp, Buffer) - 4 !=
- le16_to_cpu(rsp->SecurityBufferOffset)) {
+ le16_to_cpu(rsp->SecurityBufferOffset)) {
cERROR(1, "Invalid security buffer offset %d",
le16_to_cpu(rsp->SecurityBufferOffset));
rc = -EIO;
@@ -669,11 +665,6 @@ ssetup_ntlmssp_authenticate:
if (rc != 0)
goto ssetup_exit;
- if (rsp == NULL) {
- rc = -EIO;
- goto ssetup_exit;
- }
-
ses->session_flags = le16_to_cpu(rsp->SessionFlags);
ssetup_exit:
free_rsp_buf(resp_buftype, rsp);
@@ -793,11 +784,6 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
goto tcon_error_exit;
}
- if (rsp == NULL) {
- rc = -EIO;
- goto tcon_exit;
- }
-
if (tcon == NULL) {
ses->ipc_tid = rsp->hdr.TreeId;
goto tcon_exit;
@@ -1046,10 +1032,6 @@ SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path,
goto creat_exit;
}
- if (rsp == NULL) {
- rc = -EIO;
- goto creat_exit;
- }
*persistent_fid = rsp->PersistentFileId;
*volatile_fid = rsp->VolatileFileId;
@@ -1111,11 +1093,6 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
goto close_exit;
}
- if (rsp == NULL) {
- rc = -EIO;
- goto close_exit;
- }
-
/* BB FIXME - decode close response, update inode for caching */
close_exit:
@@ -1950,12 +1927,6 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
goto out;
}
-
- if (rsp == NULL) {
- rc = -EIO;
- goto out;
- }
-
out:
free_rsp_buf(resp_buftype, rsp);
kfree(iov);