Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp5448131pxb;
        Sun, 7 Nov 2021 12:31:45 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx5hvmdVUkIV8zSy3GQtRXvqkfPVxn5QfpnDxxH5F4HnLowad1dp9+AkC8UY2Rh2AhNnl9a
X-Received: by 2002:a17:907:3e1d:: with SMTP id hp29mr42812865ejc.70.1636317105455;
        Sun, 07 Nov 2021 12:31:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1636317105; cv=none;
        d=google.com; s=arc-20160816;
        b=kezaemTDECs70u7JhATZ35VZXqh3Ghuk0MHELerw3jMr9dOLv/sbtqh9JkM259udum
         Ml7xP6FNaNv4AQvidx+S0brRA6UR3CGBHllUGOZfIX7Ff8Kc9LQd+pmNcP0azBh+eL7V
         VsfoLV1gxER/ZW/AUWXXBgEtWOFwQGPcOTlJXYJ1BAm/nWLdcDOLqQM7PMWnde+SOIPx
         ghmXW6Sjl6PhPXtYEbFOByArC6ynq46NaWj1dxy+ttr67SoquB8zRhgLkLnH1DUWmTGW
         mXkSYSpvfJl2IOXgU1Y2VjkJ724yT7Xth6YUqN4zONpI2m3R1aeY4LyDcaYwUtzShyZJ
         +Pqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=i/U+tKTb1M95iAXMiN3nj3c0+wyos5WDVyCUT/I5//0=;
        b=taR36t8RdBgyDhu+/em60D48ia4hZxOHwYZGhW+rhKk33t2cY4m0yh90lt/ngNA0Jd
         CVc6IMQ6NJhjM5tRrAgZqNK/DI82KN2tsl/nUzqp6jxFOrK+pnjgqyfS09muvzKWb+TJ
         WICLpOgp2a0C2+9VgwRhjkiQ/STdlVeRmBhu5TUtJR4TrObGyCLrNOokplOV49N9+FuL
         skWfZwrJbfkt6bWXxCoZM+uubd2oZcEhuDpJyqZxE32ocNEBih4VwWV8Swu6PUsvxghT
         bhM7aBDOCdU9JHNeJpuu7mrC+1hhKq7vEQ10NMMkFt7pHa+FBZH7n8sgsrV2CeoyVcJc
         npOw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ka2si20202399ejc.6.2021.11.07.12.31.20;
        Sun, 07 Nov 2021 12:31:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235618AbhKGPZp (ORCPT <rfc822;lwx169@gmail.com> + 99 others);
        Sun, 7 Nov 2021 10:25:45 -0500
Received: from smtp09.smtpout.orange.fr ([80.12.242.131]:50354 "EHLO
        smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234785AbhKGPZo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 7 Nov 2021 10:25:44 -0500
Received: from pop-os.home ([86.243.171.122])
        by smtp.orange.fr with ESMTPA
        id jk0ZmSGDff6fnjk0ZmDN46; Sun, 07 Nov 2021 16:23:00 +0100
X-ME-Helo: pop-os.home
X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ==
X-ME-Date: Sun, 07 Nov 2021 16:23:00 +0100
X-ME-IP: 86.243.171.122
From:   Christophe JAILLET <christophe.jaillet@wanadoo.fr>
To:     linkinjeon@kernel.org, senozhatsky@chromium.org, sfrench@samba.org,
        hyc.lee@gmail.com, mmakassikis@freebox.fr
Cc:     linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-janitors@vger.kernel.org,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Subject: [PATCH] ksmbd: Fix an error handling path in 'smb2_sess_setup()'
Date:   Sun,  7 Nov 2021 16:22:57 +0100
Message-Id: <17d0c2af6d0a35c2951f0ac5c7a1dfea04df410f.1636298480.git.christophe.jaillet@wanadoo.fr>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

All the error handling paths of 'smb2_sess_setup()' end to 'out_err'.

All but the new error handling path added by the commit given in the Fixes
tag below.

Fix this error handling path and branch to 'out_err' as well.

Fixes: 0d994cd482ee ("ksmbd: add buffer validation in session setup")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
 fs/ksmbd/smb2pdu.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index ba68a27cabf8..bb0d1b155b34 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1698,8 +1698,10 @@ int smb2_sess_setup(struct ksmbd_work *work)
 	negblob_off = le16_to_cpu(req->SecurityBufferOffset);
 	negblob_len = le16_to_cpu(req->SecurityBufferLength);
 	if (negblob_off < offsetof(struct smb2_sess_setup_req, Buffer) ||
-	    negblob_len < offsetof(struct negotiate_message, NegotiateFlags))
-		return -EINVAL;
+	    negblob_len < offsetof(struct negotiate_message, NegotiateFlags)) {
+		rc = -EINVAL;
+		goto out_err;
+	}
 
 	negblob = (struct negotiate_message *)((char *)&req->hdr.ProtocolId +
 			negblob_off);
-- 
2.30.2