ksmbd: fix memleak in session setup

namjaejeon · smfrench · commit 6d7cb549c2ca · 2023-05-03T23:03:01.000-05:00
If client send session setup request with unknown NTLMSSP message type,
session that does not included channel can be created. It will cause
session memleak. because ksmbd_sessions_deregister() does not destroy
session if channel is not included. This patch return error response if
client send the request unknown NTLMSSP message type.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20593
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
@@ -1766,6 +1766,10 @@ int smb2_sess_setup(struct ksmbd_work *work)
 				}
 				kfree(sess->Preauth_HashValue);
 				sess->Preauth_HashValue = NULL;
+			} else {
+				pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n",
+						le32_to_cpu(negblob->MessageType));
+				rc = -EINVAL;
 			}
 		} else {
 			/* TODO: need one more negotiation */

Original file line number	Diff line number	Diff line change
`@@ -1766,6 +1766,10 @@ int smb2_sess_setup(struct ksmbd_work *work)`
`1766`	`1766`	`}`
`1767`	`1767`	`kfree(sess->Preauth_HashValue);`
`1768`	`1768`	`sess->Preauth_HashValue = NULL;`
	`1769`	`+ } else {`
	`1770`	`+ pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n",`
	`1771`	`+ le32_to_cpu(negblob->MessageType));`
	`1772`	`+ rc = -EINVAL;`
`1769`	`1773`	`}`
`1770`	`1774`	`} else {`
`1771`	`1775`	`/* TODO: need one more negotiation */`