All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] CIFS: Fix NULL pointer deref on TCON failures
@ 2017-10-10 23:01 Ronnie Sahlberg
  2017-10-11 11:23 ` [PATCH] CIFS: Fix NULL pointer deref on SMB2_tcon() failure Aurelien Aptel
       [not found] ` <20171010230138.31832-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  0 siblings, 2 replies; 7+ messages in thread
From: Ronnie Sahlberg @ 2017-10-10 23:01 UTC (permalink / raw)
  To: linux-cifs; +Cc: Steve French

Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
 fs/cifs/smb2pdu.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6f0e6343c15e..6ff4c275ca9a 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1255,7 +1255,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 	struct smb2_tree_connect_req *req;
 	struct smb2_tree_connect_rsp *rsp = NULL;
 	struct kvec iov[2];
-	struct kvec rsp_iov;
+	struct kvec rsp_iov = { NULL, 0 };
 	int rc = 0;
 	int resp_buftype;
 	int unc_path_len;
@@ -1315,6 +1315,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 	rc = SendReceive2(xid, ses, iov, 2, &resp_buftype, flags, &rsp_iov);
 	cifs_small_buf_release(req);
 	rsp = (struct smb2_tree_connect_rsp *)rsp_iov.iov_base;
+	if (rsp == NULL)
+		goto tcon_exit;
 
 	if (rc != 0) {
 		if (tcon) {
-- 
2.13.3

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH] CIFS: Fix NULL pointer deref on TCON failures
       [not found] ` <20171010230138.31832-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2017-10-10 23:07   ` Steve French
  2017-10-11 11:23   ` Aurélien Aptel
  2017-10-11 15:18   ` Steve French
  2 siblings, 0 replies; 7+ messages in thread
From: Steve French @ 2017-10-10 23:07 UTC (permalink / raw)
  To: Ronnie Sahlberg; +Cc: linux-cifs

probably should cc stable ...

On Tue, Oct 10, 2017 at 6:01 PM, Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
>  fs/cifs/smb2pdu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 6f0e6343c15e..6ff4c275ca9a 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1255,7 +1255,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         struct smb2_tree_connect_req *req;
>         struct smb2_tree_connect_rsp *rsp = NULL;
>         struct kvec iov[2];
> -       struct kvec rsp_iov;
> +       struct kvec rsp_iov = { NULL, 0 };
>         int rc = 0;
>         int resp_buftype;
>         int unc_path_len;
> @@ -1315,6 +1315,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         rc = SendReceive2(xid, ses, iov, 2, &resp_buftype, flags, &rsp_iov);
>         cifs_small_buf_release(req);
>         rsp = (struct smb2_tree_connect_rsp *)rsp_iov.iov_base;
> +       if (rsp == NULL)
> +               goto tcon_exit;
>
>         if (rc != 0) {
>                 if (tcon) {
> --
> 2.13.3
>



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] CIFS: Fix NULL pointer deref on TCON failures
       [not found] ` <20171010230138.31832-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  2017-10-10 23:07   ` [PATCH] CIFS: Fix NULL pointer deref on TCON failures Steve French
@ 2017-10-11 11:23   ` Aurélien Aptel
  2017-10-11 15:18   ` Steve French
  2 siblings, 0 replies; 7+ messages in thread
From: Aurélien Aptel @ 2017-10-11 11:23 UTC (permalink / raw)
  To: Ronnie Sahlberg, linux-cifs; +Cc: Steve French

Wah! I believe we worked on the exact same bug. I was just about to send
a similar patch (coming up).

The difference is the code still goes thru the block that sets the
reconnect flag, which we should do I think.

>	rsp = (struct smb2_tree_connect_rsp *)rsp_iov.iov_base;
>
>	if (rc != 0) {
>		if (tcon) {
>			cifs_stats_fail_inc(tcon, SMB2_TREE_CONNECT_HE);
>			tcon->need_reconnect = true;
>		}
>		goto tcon_error_exit;
>	}

this block ^^^^^

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [PATCH] CIFS: Fix NULL pointer deref on SMB2_tcon() failure
  2017-10-10 23:01 [PATCH] CIFS: Fix NULL pointer deref on TCON failures Ronnie Sahlberg
@ 2017-10-11 11:23 ` Aurelien Aptel
       [not found]   ` <20171011112336.11263-1-aaptel-IBi9RG/b67k@public.gmane.org>
       [not found] ` <20171010230138.31832-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  1 sibling, 1 reply; 7+ messages in thread
From: Aurelien Aptel @ 2017-10-11 11:23 UTC (permalink / raw)
  To: linux-cifs; +Cc: lsahlber, smfrench, Aurelien Aptel, stable

If SendReceive2() fails rsp is set to NULL but is dereferenced in the
error handling code.

Cc: stable@vger.kernel.org
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
 fs/cifs/smb2pdu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 7aa67206f6da..eb658b641ded 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1168,7 +1168,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 	struct smb2_tree_connect_req *req;
 	struct smb2_tree_connect_rsp *rsp = NULL;
 	struct kvec iov[2];
-	struct kvec rsp_iov;
+	struct kvec rsp_iov = { NULL, 0 };
 	int rc = 0;
 	int resp_buftype;
 	int unc_path_len;
@@ -1285,7 +1285,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 	return rc;
 
 tcon_error_exit:
-	if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
+	if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
 		cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree);
 	}
 	goto tcon_exit;
-- 
2.12.3

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH] CIFS: Fix NULL pointer deref on TCON failures
       [not found] ` <20171010230138.31832-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  2017-10-10 23:07   ` [PATCH] CIFS: Fix NULL pointer deref on TCON failures Steve French
  2017-10-11 11:23   ` Aurélien Aptel
@ 2017-10-11 15:18   ` Steve French
  2 siblings, 0 replies; 7+ messages in thread
From: Steve French @ 2017-10-11 15:18 UTC (permalink / raw)
  To: Ronnie Sahlberg; +Cc: linux-cifs

merged into cifs-2.6.git for-next and cc: stable

On Tue, Oct 10, 2017 at 6:01 PM, Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
>  fs/cifs/smb2pdu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 6f0e6343c15e..6ff4c275ca9a 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1255,7 +1255,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         struct smb2_tree_connect_req *req;
>         struct smb2_tree_connect_rsp *rsp = NULL;
>         struct kvec iov[2];
> -       struct kvec rsp_iov;
> +       struct kvec rsp_iov = { NULL, 0 };
>         int rc = 0;
>         int resp_buftype;
>         int unc_path_len;
> @@ -1315,6 +1315,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         rc = SendReceive2(xid, ses, iov, 2, &resp_buftype, flags, &rsp_iov);
>         cifs_small_buf_release(req);
>         rsp = (struct smb2_tree_connect_rsp *)rsp_iov.iov_base;
> +       if (rsp == NULL)
> +               goto tcon_exit;
>
>         if (rc != 0) {
>                 if (tcon) {
> --
> 2.13.3
>



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] CIFS: Fix NULL pointer deref on SMB2_tcon() failure
  2017-10-11 11:23 ` [PATCH] CIFS: Fix NULL pointer deref on SMB2_tcon() failure Aurelien Aptel
@ 2017-10-11 18:08       ` Pavel Shilovsky
  0 siblings, 0 replies; 7+ messages in thread
From: Pavel Shilovsky @ 2017-10-11 18:08 UTC (permalink / raw)
  To: Aurelien Aptel
  Cc: linux-cifs, Ronnie Sahlberg, Steve French, stable-u79uwXL29TY76Z2rM5mHXA

2017-10-11 4:23 GMT-07:00 Aurelien Aptel <aaptel-IBi9RG/b67k@public.gmane.org>:
> If SendReceive2() fails rsp is set to NULL but is dereferenced in the
> error handling code.
>
> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Signed-off-by: Aurelien Aptel <aaptel-IBi9RG/b67k@public.gmane.org>
> ---
>  fs/cifs/smb2pdu.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 7aa67206f6da..eb658b641ded 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1168,7 +1168,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         struct smb2_tree_connect_req *req;
>         struct smb2_tree_connect_rsp *rsp = NULL;
>         struct kvec iov[2];
> -       struct kvec rsp_iov;
> +       struct kvec rsp_iov = { NULL, 0 };
>         int rc = 0;
>         int resp_buftype;
>         int unc_path_len;
> @@ -1285,7 +1285,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         return rc;
>
>  tcon_error_exit:
> -       if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
> +       if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
>                 cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree);
>         }
>         goto tcon_exit;
> --
> 2.12.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Good catch, Ronnie, Aurelien!

Reviewed-by: Pavel Shilovsky <pshilov-0li6OtcxBFHby3iVrkZq2A@public.gmane.org>

It seems like the issue exists even before SendReceive2() refactoring
but wasn't triggered until DFS support was added.

--
Best regards,
Pavel Shilovsky

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH] CIFS: Fix NULL pointer deref on SMB2_tcon() failure
@ 2017-10-11 18:08       ` Pavel Shilovsky
  0 siblings, 0 replies; 7+ messages in thread
From: Pavel Shilovsky @ 2017-10-11 18:08 UTC (permalink / raw)
  To: Aurelien Aptel; +Cc: linux-cifs, Ronnie Sahlberg, Steve French, stable

2017-10-11 4:23 GMT-07:00 Aurelien Aptel <aaptel@suse.com>:
> If SendReceive2() fails rsp is set to NULL but is dereferenced in the
> error handling code.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Aurelien Aptel <aaptel@suse.com>
> ---
>  fs/cifs/smb2pdu.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 7aa67206f6da..eb658b641ded 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -1168,7 +1168,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         struct smb2_tree_connect_req *req;
>         struct smb2_tree_connect_rsp *rsp = NULL;
>         struct kvec iov[2];
> -       struct kvec rsp_iov;
> +       struct kvec rsp_iov = { NULL, 0 };
>         int rc = 0;
>         int resp_buftype;
>         int unc_path_len;
> @@ -1285,7 +1285,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
>         return rc;
>
>  tcon_error_exit:
> -       if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
> +       if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
>                 cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree);
>         }
>         goto tcon_exit;
> --
> 2.12.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Good catch, Ronnie, Aurelien!

Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>

It seems like the issue exists even before SendReceive2() refactoring
but wasn't triggered until DFS support was added.

--
Best regards,
Pavel Shilovsky

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-10-11 18:08 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-10 23:01 [PATCH] CIFS: Fix NULL pointer deref on TCON failures Ronnie Sahlberg
2017-10-11 11:23 ` [PATCH] CIFS: Fix NULL pointer deref on SMB2_tcon() failure Aurelien Aptel
     [not found]   ` <20171011112336.11263-1-aaptel-IBi9RG/b67k@public.gmane.org>
2017-10-11 18:08     ` Pavel Shilovsky
2017-10-11 18:08       ` Pavel Shilovsky
     [not found] ` <20171010230138.31832-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-10 23:07   ` [PATCH] CIFS: Fix NULL pointer deref on TCON failures Steve French
2017-10-11 11:23   ` Aurélien Aptel
2017-10-11 15:18   ` Steve French

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.