From: Shyam Prasad N sprasad@microsoft.com
commit e3548aaf41a200c2af359462be23bcdd76efd795 upstream.
One of my previous fixes: cifs: send workstation name during ntlmssp session setup ...changed the prototype of build_ntlmssp_negotiate_blob from being allocated by the caller to being allocated within the function. The caller needs to free this object too. While SMB2 version of the caller did it, I forgot to free for the SMB1 version. Fixing that here.
Fixes: 49bd49f983b5 ("cifs: send workstation name during ntlmssp session setup") Cc: stable@vger.kernel.org # 5.16 Signed-off-by: Shyam Prasad N sprasad@microsoft.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/cifs/sess.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
--- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -1354,7 +1354,7 @@ sess_auth_rawntlmssp_negotiate(struct se &blob_len, ses, sess_data->nls_cp); if (rc) - goto out; + goto out_free_ntlmsspblob;
sess_data->iov[1].iov_len = blob_len; sess_data->iov[1].iov_base = ntlmsspblob; @@ -1362,7 +1362,7 @@ sess_auth_rawntlmssp_negotiate(struct se
rc = _sess_auth_rawntlmssp_assemble_req(sess_data); if (rc) - goto out; + goto out_free_ntlmsspblob;
rc = sess_sendreceive(sess_data);
@@ -1376,14 +1376,14 @@ sess_auth_rawntlmssp_negotiate(struct se rc = 0;
if (rc) - goto out; + goto out_free_ntlmsspblob;
cifs_dbg(FYI, "rawntlmssp session setup challenge phase\n");
if (smb_buf->WordCount != 4) { rc = -EIO; cifs_dbg(VFS, "bad word count %d\n", smb_buf->WordCount); - goto out; + goto out_free_ntlmsspblob; }
ses->Suid = smb_buf->Uid; /* UID left in wire format (le) */ @@ -1397,10 +1397,13 @@ sess_auth_rawntlmssp_negotiate(struct se cifs_dbg(VFS, "bad security blob length %d\n", blob_len); rc = -EINVAL; - goto out; + goto out_free_ntlmsspblob; }
rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses); + +out_free_ntlmsspblob: + kfree(ntlmsspblob); out: sess_free_buffer(sess_data);