]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 592b3b2)
ksmbd: close accepted socket when per-IP limit rejects connection
authorJoshua Rogers <linux@joshua.hu>
Sat, 8 Nov 2025 14:59:23 +0000 (22:59 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 24 Nov 2025 09:35:59 +0000 (10:35 +0100)
commit 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 upstream.

When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.

Release client_sk before continuing.

This bug was found with ZeroPath.

Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/smb/server/transport_tcp.c patch | blob | blame | history

diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c
index 169e3013e48b5fb72df074f35c0cfa628c9e8380..0ef17d070711d71fa02b2f1e0e345ac8a8435653 100644 (file)
--- a/fs/smb/server/transport_tcp.c
+++ b/fs/smb/server/transport_tcp.c
@@ -286,8 +286,11 @@ static int ksmbd_kthread_fn(void *p)
                        }
                }
                up_read(&conn_list_lock);
-               if (ret == -EAGAIN)
+               if (ret == -EAGAIN) {
+                       /* Per-IP limit hit: release the just-accepted socket. */
+                       sock_release(client_sk);
                        continue;
+               }
 
 skip_max_ip_conns_limit:
                if (server_conf.max_connections &&
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git