From patchwork Thu Jun 10 16:46:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin King X-Patchwork-Id: 12313565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66459C47094 for ; Thu, 10 Jun 2021 16:46:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4D93C60FDA for ; Thu, 10 Jun 2021 16:46:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231540AbhFJQsK (ORCPT ); Thu, 10 Jun 2021 12:48:10 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:58297 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231460AbhFJQsG (ORCPT ); Thu, 10 Jun 2021 12:48:06 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lrNoh-0003Ye-TB; Thu, 10 Jun 2021 16:46:04 +0000 From: Colin King To: Namjae Jeon , Sergey Senozhatsky , Steve French , Hyunchul Lee , linux-cifs@vger.kernel.org, linux-cifsd-devel@lists.sourceforge.net Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][next] cifsd: fix kfree of uninitialized pointer oid Date: Thu, 10 Jun 2021 17:46:03 +0100 Message-Id: <20210610164603.554691-1-colin.king@canonical.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Colin Ian King Currently function ksmbd_neg_token_init_mech_type can kfree an uninitialized pointer oid when the call to asn1_oid_decode fails when vlen is out of range. All the other failure cases in function asn1_oid_decode set *oid to NULL on an error, so fix the issue by ensuring the vlen out of range error also nullifies the pointer. Fixes: 8bae4419ce63 ("cifsd: add goto fail in neg_token_init_mech_type()") Addresses-Coverity: ("Uninitialized pointer read") Signed-off-by: Colin Ian King --- fs/cifsd/asn1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 2c63a3e5618b..b014f4638610 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -66,7 +66,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, vlen += 1; if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long)) - return false; + goto fail_nullify; *oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL); if (!*oid) @@ -102,6 +102,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, fail: kfree(*oid); +fail_nullify: *oid = NULL; return false; }