cifs: check rsp for NULL before dereferencing in SMB2_open

In SMB2_open there are several paths where the SendReceive2 call will return an error before it sets rsp_iov.iov_base thus leaving iov_base uninitialized. Thus we need to check rsp before we dereference it in the call to get_rfc1002_length(). A report of this issue was previously reported in http://www.spinics.net/lists/linux-cifs/msg12846.html RH-bugzilla : 1476151 Version 2 : * Lets properly initialize rsp_iov before we use it. Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>. Signed-off-by: Steve French <smfrench@gmail.com> Reported-by: Xiaoli Feng <xifeng@redhat.com> CC: Stable <stable@vger.kernel.org>
author: Ronnie Sahlberg <lsahlber@redhat.com> 2017-09-07 20:37:35 -0400
committer: Steve French <smfrench@gmail.com> 2017-09-12 19:11:44 -0400
commit: bf2afee14e07de16d3cafc67edbfc2a3cc65e4bc (patch)
tree: aba3efa9b9ef3af8c4d233c6acddc47c07fcc946
parent: 52269718dc2cf2585d7a2828f31d46ef46e68000 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 5531e7ee1210..69a751b038ab 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1634,7 +1634,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
        struct cifs_tcon *tcon = oparms->tcon;
        struct cifs_ses *ses = tcon->ses;
        struct kvec iov[4];
-        struct kvec rsp_iov;
+        struct kvec rsp_iov = {NULL, 0};
        int resp_buftype;
        int uni_path_len;
        __le16 *copy_path = NULL;
@@ -1763,7 +1763,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
        if (rc != 0) {
                cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
-                if (err_buf)
+                if (err_buf && rsp)
                        *err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4,
                                           GFP_KERNEL);
                goto creat_exit;
author	Ronnie Sahlberg <lsahlber@redhat.com>	2017-09-07 20:37:35 -0400
committer	Steve French <smfrench@gmail.com>	2017-09-12 19:11:44 -0400
commit	bf2afee14e07de16d3cafc67edbfc2a3cc65e4bc (patch)
tree	aba3efa9b9ef3af8c4d233c6acddc47c07fcc946
parent	52269718dc2cf2585d7a2828f31d46ef46e68000 (diff)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 5531e7ee1210..69a751b038ab 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c
@@ -1634,7 +1634,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms oparms, __le16 path,
1634	struct cifs_tcon *tcon = oparms->tcon;	1634	struct cifs_tcon *tcon = oparms->tcon;
1635	struct cifs_ses *ses = tcon->ses;	1635	struct cifs_ses *ses = tcon->ses;
1636	struct kvec iov[4];	1636	struct kvec iov[4];
1637	struct kvec rsp_iov;	1637	struct kvec rsp_iov = {NULL, 0};
1638	int resp_buftype;	1638	int resp_buftype;
1639	int uni_path_len;	1639	int uni_path_len;
1640	__le16 *copy_path = NULL;	1640	__le16 *copy_path = NULL;
@@ -1763,7 +1763,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms oparms, __le16 path,
1763		1763
1764	if (rc != 0) {	1764	if (rc != 0) {
1765	cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);	1765	cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
1766	if (err_buf)	1766	if (err_buf && rsp)
1767	*err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4,	1767	*err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4,
1768	GFP_KERNEL);	1768	GFP_KERNEL);
1769	goto creat_exit;	1769	goto creat_exit;