Re: [PATCH v2] ksmbd: defer destroy_previous_session() until after NTLM authentication

From: Namjae Jeon

Date: Fri Jul 03 2026 - 22:26:41 EST


On Sat, Jul 4, 2026 at 4:26 AM James Montgomery
<james_montgomery@xxxxxxxxxxx> wrote:
>
> In ntlm_authenticate(), destroy_previous_session() is called using a
> user pointer resolved from the client-supplied NTLM blob username field
> before the NTLMv2 response is validated. An authenticated attacker can
> set the NTLM blob username to match a victim account and set
> PreviousSessionId to the victim's session ID; destroy_previous_session()
> destroys the victim's session while ksmbd_decode_ntlmssp_auth_blob()
> subsequently rejects the request with -EPERM.
>
> Move destroy_previous_session() and the prev_id assignment to after
> ksmbd_decode_ntlmssp_auth_blob() returns success and use sess->user
> rather than the pre-authentication lookup result. This matches the
> ordering already used by krb5_authenticate(), where
> destroy_previous_session() is called only after
> ksmbd_krb5_authenticate() returns success.
>
> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
> Cc: stable@xxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/linux-cifs/20260702155449.3639773-1-james_montgomery@xxxxxxxxxxx/
> Signed-off-by: James Montgomery <james_montgomery@xxxxxxxxxxx>
Applied it to #ksmbd-for-next-next.
Thanks!