smb: client: Reset all search buffer pointers when releasing buffer
Multiple pointers in struct cifs_search_info (ntwrk_buf_start, srch_entries_start, and last_entry) point to the same allocated buffer. However, when freeing this buffer, only ntwrk_buf_start was set to NULL, while the other pointers remained pointing to freed memory. This is defensive programming to prevent potential issues with stale pointers. While the active UAF vulnerability is fixed by the previous patch, this change ensures consistent pointer state and more robust error handling. Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com> Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
Wang Zhaolong
committed by
Steve French
Steve French
parent
a7a8fe56e9
commit
e48f9d849b
@@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
|
||||
else
|
||||
cifs_buf_release(cfile->srch_inf.
|
||||
ntwrk_buf_start);
|
||||
/* Reset all pointers to the network buffer to prevent stale references */
|
||||
cfile->srch_inf.ntwrk_buf_start = NULL;
|
||||
cfile->srch_inf.srch_entries_start = NULL;
|
||||
cfile->srch_inf.last_entry = NULL;
|
||||
}
|
||||
rc = initiate_cifs_search(xid, file, full_path);
|
||||
if (rc) {
|
||||
|
||||
Reference in New Issue
Block a user