ksmbd: fix null pointer dereference in destroy_previous_session
If client set ->PreviousSessionId on kerberos session setup stage, NULL pointer dereference error will happen. Since sess->user is not set yet, It can pass the user argument as NULL to destroy_previous_session. sess->user will be set in ksmbd_krb5_authenticate(). So this patch move calling destroy_previous_session() after ksmbd_krb5_authenticate(). Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
Namjae Jeon
committed by
Steve French
Steve French
parent
a89f5fae99
commit
7ac5b66aca
@@ -1607,17 +1607,18 @@ static int krb5_authenticate(struct ksmbd_work *work,
|
||||
out_len = work->response_sz -
|
||||
(le16_to_cpu(rsp->SecurityBufferOffset) + 4);
|
||||
|
||||
/* Check previous session */
|
||||
prev_sess_id = le64_to_cpu(req->PreviousSessionId);
|
||||
if (prev_sess_id && prev_sess_id != sess->id)
|
||||
destroy_previous_session(conn, sess->user, prev_sess_id);
|
||||
|
||||
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
|
||||
out_blob, &out_len);
|
||||
if (retval) {
|
||||
ksmbd_debug(SMB, "krb5 authentication failed\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/* Check previous session */
|
||||
prev_sess_id = le64_to_cpu(req->PreviousSessionId);
|
||||
if (prev_sess_id && prev_sess_id != sess->id)
|
||||
destroy_previous_session(conn, sess->user, prev_sess_id);
|
||||
|
||||
rsp->SecurityBufferLength = cpu_to_le16(out_len);
|
||||
|
||||
if ((conn->sign || server_conf.enforced_signing) ||
|
||||
|
||||
Reference in New Issue
Block a user