| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Jul 2020 18:13:42 +0100
From: Colin King <colin.king@...onical.com>
To: Steve French <sfrench@...ba.org>, Aurelien Aptel <aaptel@...e.com>,
Paulo Alcantara <pc@....nz>, linux-cifs@...r.kernel.org,
samba-technical@...ts.samba.org
Cc: kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH][next] cifs: fix double free error on share and prefix
From: Colin Ian King <colin.king@...onical.com>
Currently if the call dfs_cache_get_tgt_share fails we cannot
fully guarantee that share and prefix are set to NULL and the
next iteration of the loop can end up potentially double freeing
these pointers. Since the semantics of dfs_cache_get_tgt_share
are ambiguous for failure cases with the setting of share and
prefix (currently now and the possibly the future), it seems
prudent to set the pointers to NULL when the objects are
free'd to avoid any double frees.
Addresses-Coverity: ("Double free")
Fixes: 96296c946a2a ("cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect")
Signed-off-by: Colin Ian King <colin.king@...onical.com>
---
fs/cifs/connect.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 3c4dd4e1b9eb..4b2f5f5b3a8e 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -5574,6 +5574,8 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru
kfree(share);
kfree(prefix);
+ share = NULL;
+ prefix = NULL;
rc = dfs_cache_get_tgt_share(tcon->dfs_path + 1, it, &share, &prefix);
if (rc) {
--
2.27.0
Powered by blists - more mailing lists