ksmbd: Fix dangling pointer in krb_authenticate

krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be accessing free'd memory when it later uses sess->user. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan <seanheelan@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Sean Heelan <seanheelan@gmail.com> 2025-04-07 11:26:50 +0000
committer: Steve French <stfrench@microsoft.com> 2025-04-14 22:21:26 -0500
commit: 1e440d5b25b7efccb3defe542a73c51005799a5f (patch)
tree: 63f22353c1fd445c53cce348d59ada2b5133eed2
parent: 8ffd015db85fea3e15a77027fda6c02ced4d2444 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index d24d95d15d87..57839f9708bb 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1602,8 +1602,10 @@ static int krb5_authenticate(struct ksmbd_work *work,
 	if (prev_sess_id && prev_sess_id != sess->id)
 		destroy_previous_session(conn, sess->user, prev_sess_id);
 
-	if (sess->state == SMB2_SESSION_VALID)
+	if (sess->state == SMB2_SESSION_VALID) {
 		ksmbd_free_user(sess->user);
+		sess->user = NULL;
+	}
 
 	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
 					 out_blob, &out_len);
author	Sean Heelan <seanheelan@gmail.com>	2025-04-07 11:26:50 +0000
committer	Steve French <stfrench@microsoft.com>	2025-04-14 22:21:26 -0500
commit	1e440d5b25b7efccb3defe542a73c51005799a5f (patch)
tree	63f22353c1fd445c53cce348d59ada2b5133eed2
parent	8ffd015db85fea3e15a77027fda6c02ced4d2444 (diff)