From patchwork Tue Sep 25 07:00:09 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pavel Shilovsky <piastry@etersoft.ru>
X-Patchwork-Id: 1502441
Return-Path: <linux-cifs-owner@vger.kernel.org>
X-Original-To: patchwork-cifs-client@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id 281EFDF28C
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Tue, 25 Sep 2012 07:00:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751097Ab2IYHAZ (ORCPT
	<rfc822;patchwork-cifs-client@patchwork.kernel.org>);
	Tue, 25 Sep 2012 03:00:25 -0400
Received: from mail-lb0-f174.google.com ([209.85.217.174]:40998 "EHLO
	mail-lb0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752086Ab2IYHAZ (ORCPT
	<rfc822; linux-cifs@vger.kernel.org>); Tue, 25 Sep 2012 03:00:25 -0400
Received: by mail-lb0-f174.google.com with SMTP id gj3so7872832lbb.19
	for <linux-cifs@vger.kernel.org>;
	Tue, 25 Sep 2012 00:00:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=sender:from:to:subject:date:message-id:x-mailer:in-reply-to
	:references; bh=pEqke/5cmCIsu9gA4h8VcAwy8LhPmZF6hNIffvscpcg=;
	b=swjNcBWNHnPRsFLrPUREHUBFzi3z03BOSERViq+NNleuegU+WEtV1d36wdJOwH16dB
	QS41/TZUkcgtACUfEQ6c4IhmshQv8uJEPlR6LQQL1vc5bgo9e8Y2iFzbT36/DUGbD5pm
	ECpVNlL6jjWf3fh63zYxBBt8kJH3DqtzbCdzx5BtzxCsUsXQ5JvOzmFyRPhv/4uDqGWn
	yKJovoiKaRFowMJ9m/y4Pz+cec8eNQjWv7LcVWAsiXX9R6ePfKXMSHtlbseGmLnbrOqh
	aX3ExEt/VF6vmNNvXjMxlGKSxtFNdHX2qCjlXBfG2IIkjAywXKpydPv/B6VK5O72yz8e
	EwHg==
Received: by 10.112.25.99 with SMTP id b3mr5236571lbg.114.1348556424686;
	Tue, 25 Sep 2012 00:00:24 -0700 (PDT)
Received: from localhost.localdomain ([178.45.141.120])
	by mx.google.com with ESMTPS id p7sm4800417lbg.17.2012.09.25.00.00.23
	(version=TLSv1/SSLv3 cipher=OTHER);
	Tue, 25 Sep 2012 00:00:23 -0700 (PDT)
From: Pavel Shilovsky <piastry@etersoft.ru>
To: linux-cifs@vger.kernel.org
Subject: [PATCH] CIFS: Fix possible freed pointer dereference in
	SMB2_sess_setup
Date: Tue, 25 Sep 2012 11:00:09 +0400
Message-Id: <1348556409-10339-3-git-send-email-piastry@etersoft.ru>
X-Mailer: git-send-email 1.7.5.4
In-Reply-To: <1348556409-10339-1-git-send-email-piastry@etersoft.ru>
References: <1348556409-10339-1-git-send-email-piastry@etersoft.ru>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org

and remove redundant (rsp == NULL) checks after SendReceive2.

Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
---
 fs/cifs/smb2pdu.c |   35 +++--------------------------------
 1 files changed, 3 insertions(+), 32 deletions(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index a7db95f..5ad88b4b 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -409,11 +409,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
 	if (rc != 0)
 		goto neg_exit;
 
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto neg_exit;
-	}
-
 	cFYI(1, "mode 0x%x", rsp->SecurityMode);
 
 	if (rsp->DialectRevision == smb2protocols[SMB21_PROT].name)
@@ -637,13 +632,14 @@ ssetup_ntlmssp_authenticate:
 
 	kfree(security_blob);
 	rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
-	if (rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
+	if (resp_buftype != CIFS_NO_BUFFER &&
+	    rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
 		if (phase != NtLmNegotiate) {
 			cERROR(1, "Unexpected more processing error");
 			goto ssetup_exit;
 		}
 		if (offsetof(struct smb2_sess_setup_rsp, Buffer) - 4 !=
-			le16_to_cpu(rsp->SecurityBufferOffset)) {
+				le16_to_cpu(rsp->SecurityBufferOffset)) {
 			cERROR(1, "Invalid security buffer offset %d",
 				  le16_to_cpu(rsp->SecurityBufferOffset));
 			rc = -EIO;
@@ -669,11 +665,6 @@ ssetup_ntlmssp_authenticate:
 	if (rc != 0)
 		goto ssetup_exit;
 
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto ssetup_exit;
-	}
-
 	ses->session_flags = le16_to_cpu(rsp->SessionFlags);
 ssetup_exit:
 	free_rsp_buf(resp_buftype, rsp);
@@ -793,11 +784,6 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
 		goto tcon_error_exit;
 	}
 
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto tcon_exit;
-	}
-
 	if (tcon == NULL) {
 		ses->ipc_tid = rsp->hdr.TreeId;
 		goto tcon_exit;
@@ -1046,10 +1032,6 @@ SMB2_open(const unsigned int xid, struct cifs_tcon *tcon, __le16 *path,
 		goto creat_exit;
 	}
 
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto creat_exit;
-	}
 	*persistent_fid = rsp->PersistentFileId;
 	*volatile_fid = rsp->VolatileFileId;
 
@@ -1111,11 +1093,6 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
 		goto close_exit;
 	}
 
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto close_exit;
-	}
-
 	/* BB FIXME - decode close response, update inode for caching */
 
 close_exit:
@@ -1950,12 +1927,6 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
 		cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
 		goto out;
 	}
-
-	if (rsp == NULL) {
-		rc = -EIO;
-		goto out;
-	}
-
 out:
 	free_rsp_buf(resp_buftype, rsp);
 	kfree(iov);