smb: client: Reset all search buffer pointers when releasing buffer

Multiple pointers in struct cifs_search_info (ntwrk_buf_start,
srch_entries_start, and last_entry) point to the same allocated buffer.
However, when freeing this buffer, only ntwrk_buf_start was set to NULL,
while the other pointers remained pointing to freed memory.

This is defensive programming to prevent potential issues with stale
pointers. While the active UAF vulnerability is fixed by the previous
patch, this change ensures consistent pointer state and more robust error
handling.

Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>
Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 67d7dd64b5e2e24c921a3cb43e890bbb84d68ec4..787d6bcb5d1dc47339922c2cedb5e719d29e59bc 100644 (file)
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
                        else
                                cifs_buf_release(cfile->srch_inf.
                                                ntwrk_buf_start);
+                       /* Reset all pointers to the network buffer to prevent stale references */
                        cfile->srch_inf.ntwrk_buf_start = NULL;
+                       cfile->srch_inf.srch_entries_start = NULL;
+                       cfile->srch_inf.last_entry = NULL;
                }
                rc = initiate_cifs_search(xid, file, full_path);
                if (rc) {