CIFS: fix use-after-free of the lease keys
The request buffers are freed right before copying the pointers.
Use the func args instead which are identical and still valid.
Simple reproducer (requires KASAN enabled) on a cifs mount:
echo foo > foo ; tail -f foo & rm foo
Cc: <stable@vger.kernel.org> # 4.20
Fixes: 179e44d49c
("smb3: add tracepoint for sending lease break responses to server")
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Paulo Alcantara <palcantara@suse.de>
This commit is contained in:
parent
082aaa8700
commit
d339adc12a
|
@ -4441,8 +4441,8 @@ SMB2_lease_break(const unsigned int xid, struct cifs_tcon *tcon,
|
|||
rc = cifs_send_recv(xid, ses, &rqst, &resp_buf_type, flags, &rsp_iov);
|
||||
cifs_small_buf_release(req);
|
||||
|
||||
please_key_low = (__u64 *)req->LeaseKey;
|
||||
please_key_high = (__u64 *)(req->LeaseKey+8);
|
||||
please_key_low = (__u64 *)lease_key;
|
||||
please_key_high = (__u64 *)(lease_key+8);
|
||||
if (rc) {
|
||||
cifs_stats_fail_inc(tcon, SMB2_OPLOCK_BREAK_HE);
|
||||
trace_smb3_lease_err(le32_to_cpu(lease_state), tcon->tid,
|
||||
|
|
Loading…
Reference in New Issue