github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-25 07:33:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

two smb3 client fixes

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmgvRZwACgkQiiy9cAdy
 T1FhHgwAmCyhbUzJkszIn3KCVrcxPmydM4zf7fniiAEk9uUX58FdovQ7fbrt6wxY
 joN3dtvoCu5A6zOAyzBWt8V6gnWqz2EH6nve9bMo+WRk380RbIisSYnZC0NaYjQb
 oM/5zuyBxIqvN30CkLVMp/6Ps6wdGmdyOcjtK4xeyW7BPnM7pd74Z2ttEy9QsxlT
 PCETHtL1wM+iKKf3ua5N7Sti11mXyTOe/6X3Kl65rmiyiNQ2F6L/qTtswbu4QOzv
 mVsxoEOSxPu52KIostZsWloP2vQuvE8Cuk4z3UoC1Osd/xmvMAoOiMbB72vyAmHW
 4dJgvZei+D3gKUQslIZSCIG0cQfneBxhp/z4+YxSGAnWgDx/5g3IJuyZ6bk5SQXA
 PNJu80fOe683QudxNzmQN3WioYdgRatxPxZFjqW8uhovWRM9EPydB3vi+oCdEQcH
 KXJNAR3pUSaavVRiLdm8JbLkqVchjEuTj/Ba1Ws9Z4LVJpVFAqhIynHDoxqPIhsh
 jGcJJA4X
 =Agsj
 -----END PGP SIGNATURE-----

Merge tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fixes from Steve French:

 - Two fixes for use after free in readdir code paths

* tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: Reset all search buffer pointers when releasing buffer
  smb: client: Fix use-after-free in cifs_fill_dirent
This commit is contained in:
Linus Torvalds 2025-05-22 12:35:16 -07:00
commit e85dea591f
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
fs/smb/client/readdir.c
View File

@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
else
cifs_buf_release(cfile->srch_inf.
ntwrk_buf_start);
/* Reset all pointers to the network buffer to prevent stale references */
cfile->srch_inf.ntwrk_buf_start = NULL;
cfile->srch_inf.srch_entries_start = NULL;
cfile->srch_inf.last_entry = NULL;
}
rc = initiate_cifs_search(xid, file, full_path);
if (rc) {
@ -756,11 +759,11 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
rc = server->ops->query_dir_next(xid, tcon, &cfile->fid,
search_flags,
&cfile->srch_inf);
if (rc)
return -ENOENT;
/* FindFirst/Next set last_entry to NULL on malformed reply */
if (cfile->srch_inf.last_entry)
cifs_save_resume_key(cfile->srch_inf.last_entry, cfile);
if (rc)
return -ENOENT;
}
if (index_to_find < cfile->srch_inf.index_of_last_entry) {
/* we found the buffer that contains the entry */