]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling
authorQiang Liu <liuqiang@kylinos.cn>
Wed, 24 Jun 2026 01:13:19 +0000 (09:13 +0800)
committerSteve French <stfrench@microsoft.com>
Wed, 1 Jul 2026 02:29:45 +0000 (21:29 -0500)
commitd708a36634bb7b6f94d0e76d587d2ec50b2b93b5
tree89bd6ddf68d922d07a25f98632acedd9e5d31b0b
parentd4d56b00c7df88cd5751e7415bdfabc9fdbc82a7
ksmbd: Fix acl.sd_buf memory leak and invalid sd_size error handling

1. When ndr_decode_v4_ntacl() fails, the code jumped to free_n_data
   which only freed n.data, skipping kfree(acl.sd_buf) and leaking
   the buffer. Zero-initialize struct xattr_ntacl acl, reorder error
   labels to out_free to release acl.sd_buf on all error paths.

2. if (acl.sd_size < sizeof(struct smb_ntsd)) is true, original code
   returned success without freeing sd_buf and left stale *pntsd.
   Set rc = -EINVAL before jumping to out_free to return error code and
   free buffer.

Signed-off-by: Qiang Liu <liuqiang@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/vfs.c