From patchwork Wed Oct 11 05:41:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ronnie Sahlberg X-Patchwork-Id: 9998703 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 53C1A60216 for ; Wed, 11 Oct 2017 05:41:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 50A2C288C9 for ; Wed, 11 Oct 2017 05:41:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 45214288CD; Wed, 11 Oct 2017 05:41:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C44BA288C9 for ; Wed, 11 Oct 2017 05:41:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754285AbdJKFl4 (ORCPT ); Wed, 11 Oct 2017 01:41:56 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47904 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750729AbdJKFlz (ORCPT ); Wed, 11 Oct 2017 01:41:55 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B69814ACA5; Wed, 11 Oct 2017 05:41:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B69814ACA5 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=lsahlber@redhat.com Received: from test1190.test.redhat.com (vpn2-54-56.bne.redhat.com [10.64.54.56]) by smtp.corp.redhat.com (Postfix) with ESMTP id 421165C1A3; Wed, 11 Oct 2017 05:41:53 +0000 (UTC) From: Ronnie Sahlberg To: linux-cifs Cc: Steve French Subject: [PATCH] cifs: fix remaining rsp_iov issues Date: Wed, 11 Oct 2017 16:41:40 +1100 Message-Id: <20171011054140.26535-2-lsahlber@redhat.com> In-Reply-To: <20171011054140.26535-1-lsahlber@redhat.com> References: <20171011054140.26535-1-lsahlber@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 11 Oct 2017 05:41:55 +0000 (UTC) Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch fixes the remaining issues with rsp_iov where we might dereference uninitialized pointers or pass them to free_rsp_buf(). There is also one memory leak that is fixed. Signed-off-by: Ronnie Sahlberg --- fs/cifs/smb2pdu.c | 43 +++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6ff4c275ca9a..fd2b2b8e86b0 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -470,7 +470,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) struct smb2_negotiate_req *req; struct smb2_negotiate_rsp *rsp; struct kvec iov[1]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int resp_buftype; struct TCP_Server_Info *server = ses->server; @@ -1884,7 +1884,7 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, struct smb2_sync_hdr *shdr; struct cifs_ses *ses; struct kvec iov[2]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int resp_buftype; int n_iov; int rc = 0; @@ -1981,6 +1981,8 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov); cifs_small_buf_release(req); rsp = (struct smb2_ioctl_rsp *)rsp_iov.iov_base; + if (rsp == NULL) + goto ioctl_exit; if ((rc != 0) && (rc != -EINVAL)) { cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE); @@ -2064,7 +2066,7 @@ SMB2_close(const unsigned int xid, struct cifs_tcon *tcon, struct smb2_close_rsp *rsp; struct cifs_ses *ses = tcon->ses; struct kvec iov[1]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int resp_buftype; int rc = 0; int flags = 0; @@ -2168,9 +2170,9 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon, u32 *dlen) { struct smb2_query_info_req *req; - struct smb2_query_info_rsp *rsp = NULL; + struct smb2_query_info_rsp *rsp; struct kvec iov[2]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int resp_buftype; struct cifs_ses *ses = tcon->ses; @@ -2404,7 +2406,7 @@ SMB2_flush(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, struct smb2_flush_req *req; struct cifs_ses *ses = tcon->ses; struct kvec iov[1]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int resp_buftype; int rc = 0; int flags = 0; @@ -2639,10 +2641,10 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, { int resp_buftype, rc = -EACCES; struct smb2_read_plain_req *req = NULL; - struct smb2_read_rsp *rsp = NULL; + struct smb2_read_rsp *rsp; struct smb2_sync_hdr *shdr; struct kvec iov[2]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; unsigned int total_len; __be32 req_len; struct smb_rqst rqst = { .rq_iov = iov, @@ -2669,6 +2671,10 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, cifs_small_buf_release(req); rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; + if (rsp == NULL) { + cifs_dbg(VFS, "rsp is NULL in read\n"); + return -EIO; + } shdr = get_sync_hdr(rsp); if (shdr->Status == STATUS_END_OF_FILE) { @@ -2856,9 +2862,9 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms, { int rc = 0; struct smb2_write_req *req = NULL; - struct smb2_write_rsp *rsp = NULL; + struct smb2_write_rsp *rsp; int resp_buftype; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int flags = 0; *nbytes = 0; @@ -2963,7 +2969,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, struct smb2_query_directory_req *req; struct smb2_query_directory_rsp *rsp = NULL; struct kvec iov[2]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int len; int resp_buftype = CIFS_NO_BUFFER; @@ -3093,9 +3099,9 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, void **data, unsigned int *size) { struct smb2_set_info_req *req; - struct smb2_set_info_rsp *rsp = NULL; + struct smb2_set_info_rsp *rsp; struct kvec *iov; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int resp_buftype; unsigned int i; @@ -3376,9 +3382,9 @@ int SMB2_QFS_info(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, u64 volatile_fid, struct kstatfs *fsdata) { - struct smb2_query_info_rsp *rsp = NULL; + struct smb2_query_info_rsp *rsp; struct kvec iov; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int resp_buftype; struct cifs_ses *ses = tcon->ses; @@ -3419,9 +3425,9 @@ int SMB2_QFS_attr(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, u64 volatile_fid, int level) { - struct smb2_query_info_rsp *rsp = NULL; + struct smb2_query_info_rsp *rsp; struct kvec iov; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int rc = 0; int resp_buftype, max_len, min_len; struct cifs_ses *ses = tcon->ses; @@ -3492,7 +3498,7 @@ smb2_lockv(const unsigned int xid, struct cifs_tcon *tcon, int rc = 0; struct smb2_lock_req *req = NULL; struct kvec iov[2]; - struct kvec rsp_iov; + struct kvec rsp_iov = { NULL, 0 }; int resp_buf_type; unsigned int count; int flags = CIFS_NO_RESP; @@ -3525,6 +3531,7 @@ smb2_lockv(const unsigned int xid, struct cifs_tcon *tcon, rc = SendReceive2(xid, tcon->ses, iov, 2, &resp_buf_type, flags, &rsp_iov); cifs_small_buf_release(req); + free_rsp_buf(resp_buf_type, rsp_iov.iov_base); if (rc) { cifs_dbg(FYI, "Send error in smb2_lockv = %d\n", rc); cifs_stats_fail_inc(tcon, SMB2_LOCK_HE);