cifsd: Fix potential null-ptr-deref in destroy_previous_session()

The user field in the session structure is allocated when the client is authenticated. If the client explicitly logs off, the user field is freed, but the session is kept around in case the user reconnects. If the TCP connection hasn't been closed and the client sends a session setup with a PreviousSessionId set, destroy_previous_session() will be called to check if the session needs to be cleaned up. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com>

cifsd: Fix potential null-ptr-deref in destroy_previous_session()
The user field in the session structure is allocated when the client is authenticated. If the client explicitly logs off, the user field is freed, but the session is kept around in case the user reconnects. If the TCP connection hasn't been closed and the client sends a session setup with a PreviousSessionId set, destroy_previous_session() will be called to check if the session needs to be cleaned up. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com>
1fca8038 · Marios Makassikis · Steve French · e7735c85 · 1fca8038
Commit 1fca8038 authored May 06, 2021 by Marios Makassikis Committed by Steve French May 10, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

fs/cifsd/smb2pdu.c fs/cifsd/smb2pdu.c +2 -1

No files found.
--- a/fs/cifsd/smb2pdu.c
+++ b/fs/cifsd/smb2pdu.c
@@ -619,7 +619,8 @@ static void destroy_previous_session(struct ksmbd_user *user, u64 id)

 	prev_user = prev_sess->user;

-	if (strcmp(user->name, prev_user->name) ||
+	if (!prev_user ||
+	    strcmp(user->name, prev_user->name) ||
 	    user->passkey_sz != prev_user->passkey_sz ||
 	    memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) {
 		put_session(prev_sess);