ksmbd: fix Preauh_HashValue race condition

commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 upstream.

If client send multiple session setup requests to ksmbd,
Preauh_HashValue race condition could happen.
There is no need to free sess->Preauh_HashValue at session setup phase.
It can be freed together with session at connection termination phase.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27661
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index b04c5f2a091a1fffb2d50e93315117f2714bfe27..495a9faa298bdf64728e1c1b03e787d56fdb42b1 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1845,8 +1845,6 @@ int smb2_sess_setup(struct ksmbd_work *work)
                                ksmbd_conn_set_good(conn);
                                sess->state = SMB2_SESSION_VALID;
                        }
-                       kfree(sess->Preauth_HashValue);
-                       sess->Preauth_HashValue = NULL;
                } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) {
                        if (negblob->MessageType == NtLmNegotiate) {
                                rc = ntlm_negotiate(work, negblob, negblob_len, rsp);
@@ -1873,8 +1871,6 @@ int smb2_sess_setup(struct ksmbd_work *work)
                                                kfree(preauth_sess);
                                        }
                                }
-                               kfree(sess->Preauth_HashValue);
-                               sess->Preauth_HashValue = NULL;
                        } else {
                                pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n",
                                                le32_to_cpu(negblob->MessageType));