[PATCH][next] cifsd: fix kfree of uninitialized pointer oid

From: Colin King
Date: Thu Jun 10 2021 - 12:46:17 EST

Next message: Paolo Bonzini: "[PATCH] KVM: switch per-VM stats to u64"
Previous message: Laurent Pinchart: "Re: [PATCH v9 11/22] media: uvcvideo: Set unique vdev name based in type"
Next in thread: Namjae Jeon: "RE: [PATCH][next] cifsd: fix kfree of uninitialized pointer oid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Colin Ian King <colin.king@xxxxxxxxxxxxx>

Currently function ksmbd_neg_token_init_mech_type can kfree an
uninitialized pointer oid when the call to asn1_oid_decode fails
when vlen is out of range. All the other failure cases in
function asn1_oid_decode set *oid to NULL on an error, so fix the
issue by ensuring the vlen out of range error also nullifies the
pointer.

Fixes: 8bae4419ce63 ("cifsd: add goto fail in neg_token_init_mech_type()")
Addresses-Coverity: ("Uninitialized pointer read")
Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
---
fs/cifsd/asn1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c
index 2c63a3e5618b..b014f4638610 100644
--- a/fs/cifsd/asn1.c
+++ b/fs/cifsd/asn1.c
@@ -66,7 +66,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen,

vlen += 1;
if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long))
- return false;
+ goto fail_nullify;

*oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL);
if (!*oid)
@@ -102,6 +102,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen,

fail:
kfree(*oid);
+fail_nullify:
*oid = NULL;
return false;
}
--
2.31.1

Next message: Paolo Bonzini: "[PATCH] KVM: switch per-VM stats to u64"
Previous message: Laurent Pinchart: "Re: [PATCH v9 11/22] media: uvcvideo: Set unique vdev name based in type"
Next in thread: Namjae Jeon: "RE: [PATCH][next] cifsd: fix kfree of uninitialized pointer oid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]