All of lore.kernel.org
 help / color / mirror / Atom feed
* [smb3] unreachable code and memory leaks
@ 2018-06-18 13:07 Gustavo A. R. Silva
  2018-06-18 16:55 ` Steve French
  0 siblings, 1 reply; 5+ messages in thread
From: Gustavo A. R. Silva @ 2018-06-18 13:07 UTC (permalink / raw)
  To: Steve French
  Cc: linux-cifs, samba-technical, linux-kernel, Gustavo A. R. Silva

Hi Steve,

While doing some static analysis I came across the following piece of code at fs/cifs/smb2pdu.c:2017:

2017                if (n_iov > 2) {
2018                        struct create_context *ccontext =
2019                            (struct create_context *)iov[n_iov-1].iov_base;
2020                        ccontext->Next =
2021                                cpu_to_le32(iov[n_iov-1].iov_len);
2022                }

The code above is unreachable because n_iov is initialized to 2 and, its value is never updated.
I'm not sure how to fix this.

Also, it seems there are multiple places in which memory allocated for *path* is leaking:

1946        else
1947                return -EIO;

1951        if (rc)
1952                return rc;

1987                if (rc) {
1988                        cifs_small_buf_release(req);
1989                        return rc;
1990                }

and more...

Thanks
--
Gustavo

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [smb3] unreachable code and memory leaks
  2018-06-18 13:07 [smb3] unreachable code and memory leaks Gustavo A. R. Silva
@ 2018-06-18 16:55 ` Steve French
  2018-06-18 17:18   ` Steve French
  0 siblings, 1 reply; 5+ messages in thread
From: Steve French @ 2018-06-18 16:55 UTC (permalink / raw)
  To: Gustavo A. R. Silva; +Cc: Steve French, CIFS, samba-technical, LKML

On Mon, Jun 18, 2018 at 8:07 AM, Gustavo A. R. Silva
<gustavo@embeddedor.com> wrote:
> Hi Steve,
>
> While doing some static analysis I came across the following piece of code at fs/cifs/smb2pdu.c:2017:
>
> 2017                if (n_iov > 2) {
> 2018                        struct create_context *ccontext =
> 2019                            (struct create_context *)iov[n_iov-1].iov_base;
> 2020                        ccontext->Next =
> 2021                                cpu_to_le32(iov[n_iov-1].iov_len);
> 2022                }

Good catch - this is harmless (and experimental mount option) - cut
and paste - unneeded clause.
Fixing now


> Also, it seems there are multiple places in which memory allocated for *path* is leaking:
>
> 1946        else
> 1947                return -EIO;
>
> 1951        if (rc)
> 1952                return rc;
>
> 1987                if (rc) {
> 1988                        cifs_small_buf_release(req);
> 1989                        return rc;
> 1990                }

Cleaning that up now. Will post a patch - thx.


-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [smb3] unreachable code and memory leaks
  2018-06-18 16:55 ` Steve French
@ 2018-06-18 17:18   ` Steve French
  2018-06-18 17:34     ` Gustavo A. R. Silva
  0 siblings, 1 reply; 5+ messages in thread
From: Steve French @ 2018-06-18 17:18 UTC (permalink / raw)
  To: Gustavo A. R. Silva; +Cc: Steve French, CIFS, samba-technical, LKML

[-- Attachment #1: Type: text/plain, Size: 1444 bytes --]

Gustavo,
Thx for pointing this out.  Let me know if this patch addresses what
you found.  Code is experimental mount option but extremely important
to get right due to move away from SMB1/CIFS which had posix
extensions.



On Mon, Jun 18, 2018 at 11:55 AM, Steve French <smfrench@gmail.com> wrote:
> On Mon, Jun 18, 2018 at 8:07 AM, Gustavo A. R. Silva
> <gustavo@embeddedor.com> wrote:
>> Hi Steve,
>>
>> While doing some static analysis I came across the following piece of code at fs/cifs/smb2pdu.c:2017:
>>
>> 2017                if (n_iov > 2) {
>> 2018                        struct create_context *ccontext =
>> 2019                            (struct create_context *)iov[n_iov-1].iov_base;
>> 2020                        ccontext->Next =
>> 2021                                cpu_to_le32(iov[n_iov-1].iov_len);
>> 2022                }
>
> Good catch - this is harmless (and experimental mount option) - cut
> and paste - unneeded clause.
> Fixing now
>
>
>> Also, it seems there are multiple places in which memory allocated for *path* is leaking:
>>
>> 1946        else
>> 1947                return -EIO;
>>
>> 1951        if (rc)
>> 1952                return rc;
>>
>> 1987                if (rc) {
>> 1988                        cifs_small_buf_release(req);
>> 1989                        return rc;
>> 1990                }
>
> Cleaning that up now. Will post a patch - thx.
>
>
> --
> Thanks,
>
> Steve



-- 
Thanks,

Steve

[-- Attachment #2: 0001-smb3-fix-memory-leak-in-smb311_posix_mkdir.patch --]
[-- Type: text/x-patch, Size: 2329 bytes --]

From 0f4e3dec1c362119851aa2049ff23d1971b4e4a8 Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Mon, 18 Jun 2018 12:02:47 -0500
Subject: [PATCH] smb3: fix memory leak in smb311_posix_mkdir

Signed-off-by: Steve French <stfrench@microsoft.com>
Reported-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
---
 fs/cifs/smb2pdu.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 810b85787c91..b0498cadb952 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1943,13 +1943,17 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
 
 	if (ses && (ses->server))
 		server = ses->server;
-	else
+	else {
+		kfree(path);
 		return -EIO;
+	}
 
 	rc = smb2_plain_req_init(SMB2_CREATE, tcon, (void **) &req, &total_len);
 
-	if (rc)
+	if (rc) {
+		kfree(path);
 		return rc;
+	}
 
 	if (smb3_encryption_required(tcon))
 		flags |= CIFS_TRANSFORM_REQ;
@@ -1986,6 +1990,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
 						 tcon->treeName, path);
 		if (rc) {
 			cifs_small_buf_release(req);
+			kfree(path);
 			return rc;
 		}
 		req->NameLength = cpu_to_le16(name_len * 2);
@@ -2000,6 +2005,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
 			copy_path = kzalloc(copy_size, GFP_KERNEL);
 			if (!copy_path) {
 				cifs_small_buf_release(req);
+				kfree(path);
 				return -ENOMEM;
 			}
 			memcpy((char *)copy_path, (const char *)path,
@@ -2014,17 +2020,11 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
 	req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_NONE;
 
 	if (tcon->posix_extensions) {
-		if (n_iov > 2) {
-			struct create_context *ccontext =
-			    (struct create_context *)iov[n_iov-1].iov_base;
-			ccontext->Next =
-				cpu_to_le32(iov[n_iov-1].iov_len);
-		}
-
 		rc = add_posix_context(iov, &n_iov, mode);
 		if (rc) {
 			cifs_small_buf_release(req);
 			kfree(copy_path);
+			kfree(path);
 			return rc;
 		}
 		pc_buf = iov[n_iov-1].iov_base;
@@ -2057,6 +2057,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
 
 smb311_mkdir_exit:
 	kfree(copy_path);
+	kfree(path);
 	kfree(pc_buf);
 	free_rsp_buf(resp_buftype, rsp);
 	return rc;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [smb3] unreachable code and memory leaks
  2018-06-18 17:18   ` Steve French
@ 2018-06-18 17:34     ` Gustavo A. R. Silva
  2018-06-19  1:20       ` Steve French
  0 siblings, 1 reply; 5+ messages in thread
From: Gustavo A. R. Silva @ 2018-06-18 17:34 UTC (permalink / raw)
  To: Steve French; +Cc: Steve French, CIFS, samba-technical, LKML

Hey Steve,

On 06/18/2018 12:18 PM, Steve French wrote:
> Gustavo,
> Thx for pointing this out.  Let me know if this patch addresses what
> you found.  Code is experimental mount option but extremely important
> to get right due to move away from SMB1/CIFS which had posix
> extensions.
> 

Yep. It seems correct.

Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Thanks!
--
Gustavo

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [smb3] unreachable code and memory leaks
  2018-06-18 17:34     ` Gustavo A. R. Silva
@ 2018-06-19  1:20       ` Steve French
  0 siblings, 0 replies; 5+ messages in thread
From: Steve French @ 2018-06-19  1:20 UTC (permalink / raw)
  To: Gustavo A. R. Silva; +Cc: Steve French, CIFS, samba-technical, LKML

Aurelien spotted a problem with the patch - will resend to you

On Mon, Jun 18, 2018 at 12:34 PM, Gustavo A. R. Silva
<gustavo@embeddedor.com> wrote:
> Hey Steve,
>
> On 06/18/2018 12:18 PM, Steve French wrote:
>>
>> Gustavo,
>> Thx for pointing this out.  Let me know if this patch addresses what
>> you found.  Code is experimental mount option but extremely important
>> to get right due to move away from SMB1/CIFS which had posix
>> extensions.
>>
>
> Yep. It seems correct.
>
> Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
>
> Thanks!
> --
> Gustavo



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-06-19  1:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-18 13:07 [smb3] unreachable code and memory leaks Gustavo A. R. Silva
2018-06-18 16:55 ` Steve French
2018-06-18 17:18   ` Steve French
2018-06-18 17:34     ` Gustavo A. R. Silva
2018-06-19  1:20       ` Steve French

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.