From: Steve French <smfrench@gmail.com>
To: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Steve French <sfrench@samba.org>,
CIFS <linux-cifs@vger.kernel.org>,
samba-technical <samba-technical@lists.samba.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [smb3] unreachable code and memory leaks
Date: Mon, 18 Jun 2018 12:18:25 -0500 [thread overview]
Message-ID: <CAH2r5mvu7e2ec6fb0Aay5OAr8S31jy=j7_7sL_VRfi6U2G_mZA@mail.gmail.com> (raw)
In-Reply-To: <CAH2r5muZJkx0eR0uAyuRBkkTf7-97x5oSMWPXdfb1TUK4rwGJw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1444 bytes --]
Gustavo,
Thx for pointing this out. Let me know if this patch addresses what
you found. Code is experimental mount option but extremely important
to get right due to move away from SMB1/CIFS which had posix
extensions.
On Mon, Jun 18, 2018 at 11:55 AM, Steve French <smfrench@gmail.com> wrote:
> On Mon, Jun 18, 2018 at 8:07 AM, Gustavo A. R. Silva
> <gustavo@embeddedor.com> wrote:
>> Hi Steve,
>>
>> While doing some static analysis I came across the following piece of code at fs/cifs/smb2pdu.c:2017:
>>
>> 2017 if (n_iov > 2) {
>> 2018 struct create_context *ccontext =
>> 2019 (struct create_context *)iov[n_iov-1].iov_base;
>> 2020 ccontext->Next =
>> 2021 cpu_to_le32(iov[n_iov-1].iov_len);
>> 2022 }
>
> Good catch - this is harmless (and experimental mount option) - cut
> and paste - unneeded clause.
> Fixing now
>
>
>> Also, it seems there are multiple places in which memory allocated for *path* is leaking:
>>
>> 1946 else
>> 1947 return -EIO;
>>
>> 1951 if (rc)
>> 1952 return rc;
>>
>> 1987 if (rc) {
>> 1988 cifs_small_buf_release(req);
>> 1989 return rc;
>> 1990 }
>
> Cleaning that up now. Will post a patch - thx.
>
>
> --
> Thanks,
>
> Steve
--
Thanks,
Steve
[-- Attachment #2: 0001-smb3-fix-memory-leak-in-smb311_posix_mkdir.patch --]
[-- Type: text/x-patch, Size: 2329 bytes --]
From 0f4e3dec1c362119851aa2049ff23d1971b4e4a8 Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Mon, 18 Jun 2018 12:02:47 -0500
Subject: [PATCH] smb3: fix memory leak in smb311_posix_mkdir
Signed-off-by: Steve French <stfrench@microsoft.com>
Reported-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
---
fs/cifs/smb2pdu.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 810b85787c91..b0498cadb952 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1943,13 +1943,17 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
if (ses && (ses->server))
server = ses->server;
- else
+ else {
+ kfree(path);
return -EIO;
+ }
rc = smb2_plain_req_init(SMB2_CREATE, tcon, (void **) &req, &total_len);
- if (rc)
+ if (rc) {
+ kfree(path);
return rc;
+ }
if (smb3_encryption_required(tcon))
flags |= CIFS_TRANSFORM_REQ;
@@ -1986,6 +1990,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
tcon->treeName, path);
if (rc) {
cifs_small_buf_release(req);
+ kfree(path);
return rc;
}
req->NameLength = cpu_to_le16(name_len * 2);
@@ -2000,6 +2005,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
copy_path = kzalloc(copy_size, GFP_KERNEL);
if (!copy_path) {
cifs_small_buf_release(req);
+ kfree(path);
return -ENOMEM;
}
memcpy((char *)copy_path, (const char *)path,
@@ -2014,17 +2020,11 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_NONE;
if (tcon->posix_extensions) {
- if (n_iov > 2) {
- struct create_context *ccontext =
- (struct create_context *)iov[n_iov-1].iov_base;
- ccontext->Next =
- cpu_to_le32(iov[n_iov-1].iov_len);
- }
-
rc = add_posix_context(iov, &n_iov, mode);
if (rc) {
cifs_small_buf_release(req);
kfree(copy_path);
+ kfree(path);
return rc;
}
pc_buf = iov[n_iov-1].iov_base;
@@ -2057,6 +2057,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
smb311_mkdir_exit:
kfree(copy_path);
+ kfree(path);
kfree(pc_buf);
free_rsp_buf(resp_buftype, rsp);
return rc;
--
2.17.1
next prev parent reply other threads:[~2018-06-18 17:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-18 13:07 [smb3] unreachable code and memory leaks Gustavo A. R. Silva
2018-06-18 16:55 ` Steve French
2018-06-18 17:18 ` Steve French [this message]
2018-06-18 17:34 ` Gustavo A. R. Silva
2018-06-19 1:20 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH2r5mvu7e2ec6fb0Aay5OAr8S31jy=j7_7sL_VRfi6U2G_mZA@mail.gmail.com' \
--to=smfrench@gmail.com \
--cc=gustavo@embeddedor.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.