Skip to content
Permalink
Browse files

cifs: Fix use-after-free in SMB2_write

There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_write+0x1342/0x1580
Read of size 8 at addr ffff8880b6a8e450 by task ln/4196

Should not release the 'req' because it will use in the trace.

Fixes: eccb442 ("smb3: Add ftrace tracepoints for improved SMB3 debugging")

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org> 4.18+
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
  • Loading branch information...
z00467499 authored and Steve French committed Apr 6, 2019
1 parent 618d919 commit 6a3eb3360667170988f8a6477f6686242061488a
Showing with 1 addition and 1 deletion.
  1. +1 −1 fs/cifs/smb2pdu.c
@@ -3769,7 +3769,6 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,

rc = cifs_send_recv(xid, io_parms->tcon->ses, &rqst,
&resp_buftype, flags, &rsp_iov);
cifs_small_buf_release(req);
rsp = (struct smb2_write_rsp *)rsp_iov.iov_base;

if (rc) {
@@ -3787,6 +3786,7 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
io_parms->offset, *nbytes);
}

cifs_small_buf_release(req);
free_rsp_buf(resp_buftype, rsp);
return rc;
}

0 comments on commit 6a3eb33

Please sign in to comment.
You can’t perform that action at this time.