diff options
author | Aurelien Aptel <aaptel@suse.com> | 2019-01-31 13:46:07 +0100 |
---|---|---|
committer | Steve French <stfrench@microsoft.com> | 2019-01-31 07:03:20 -0600 |
commit | d339adc12a4f885b572c5412e4869af8939db854 (patch) | |
tree | 44cd5a49b6e7aadd4cb5bef580ff03164f43344a /fs | |
parent | 082aaa8700415f6471ec9c5ef0c8307ca214989a (diff) | |
download | linux-d339adc12a4f885b572c5412e4869af8939db854.tar.gz linux-d339adc12a4f885b572c5412e4869af8939db854.tar.bz2 linux-d339adc12a4f885b572c5412e4869af8939db854.zip |
CIFS: fix use-after-free of the lease keys
The request buffers are freed right before copying the pointers.
Use the func args instead which are identical and still valid.
Simple reproducer (requires KASAN enabled) on a cifs mount:
echo foo > foo ; tail -f foo & rm foo
Cc: <stable@vger.kernel.org> # 4.20
Fixes: 179e44d49c2f ("smb3: add tracepoint for sending lease break responses to server")
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/smb2pdu.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index ef52d6642431..77b3aaa39b35 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -4441,8 +4441,8 @@ SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon, rc = cifs_send_recv(xid, ses, &rqst, &resp_buf_type, flags, &rsp_iov); cifs_small_buf_release(req); - please_key_low = (__u64 *)req->LeaseKey; - please_key_high = (__u64 *)(req->LeaseKey+8); + please_key_low = (__u64 *)lease_key; + please_key_high = (__u64 *)(lease_key+8); if (rc) { cifs_stats_fail_inc(tcon, SMB2_OPLOCK_BREAK_HE); trace_smb3_lease_err(le32_to_cpu(lease_state), tcon->tid, |