From: Colin King <colin.king@canonical.com>
To: Namjae Jeon <namjae.jeon@samsung.com>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Steve French <sfrench@samba.org>,
Hyunchul Lee <hyc.lee@gmail.com>,
linux-cifs@vger.kernel.org,
linux-cifsd-devel@lists.sourceforge.net
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH][next] cifsd: fix kfree of uninitialized pointer oid
Date: Thu, 10 Jun 2021 17:46:03 +0100 [thread overview]
Message-ID: <20210610164603.554691-1-colin.king@canonical.com> (raw)
From: Colin Ian King <colin.king@canonical.com>
Currently function ksmbd_neg_token_init_mech_type can kfree an
uninitialized pointer oid when the call to asn1_oid_decode fails
when vlen is out of range. All the other failure cases in
function asn1_oid_decode set *oid to NULL on an error, so fix the
issue by ensuring the vlen out of range error also nullifies the
pointer.
Fixes: 8bae4419ce63 ("cifsd: add goto fail in neg_token_init_mech_type()")
Addresses-Coverity: ("Uninitialized pointer read")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
fs/cifsd/asn1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c
index 2c63a3e5618b..b014f4638610 100644
--- a/fs/cifsd/asn1.c
+++ b/fs/cifsd/asn1.c
@@ -66,7 +66,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen,
vlen += 1;
if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long))
- return false;
+ goto fail_nullify;
*oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL);
if (!*oid)
@@ -102,6 +102,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen,
fail:
kfree(*oid);
+fail_nullify:
*oid = NULL;
return false;
}
--
2.31.1
next reply other threads:[~2021-06-10 16:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20210610164609epcas1p1c221f8a2c1762fc8a2e0cd5aa44c2b37@epcas1p1.samsung.com>
2021-06-10 16:46 ` Colin King [this message]
2021-06-11 0:40 ` [PATCH][next] cifsd: fix kfree of uninitialized pointer oid Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210610164603.554691-1-colin.king@canonical.com \
--to=colin.king@canonical.com \
--cc=hyc.lee@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-cifsd-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=namjae.jeon@samsung.com \
--cc=sergey.senozhatsky@gmail.com \
--cc=sfrench@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.