[PATCH 5.10] cifs: fix small mempool leak in SMB2_negotiate() - Linux-stable-mirror

3 Jul 2025

From: Enzo Matsumiya ematsumiya@suse.de
commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 upstream.
In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
the request is sent, the checks would return -EIO when they should be
rather setting rc = -EIO and jumping to neg_exit to free the response
buffer from mempool.
Signed-off-by: Enzo Matsumiya ematsumiya@suse.de
Cc: stable@vger.kernel.org
Reviewed-by: Ronnie Sahlberg lsahlber@redhat.com
Signed-off-by: Steve French stfrench@microsoft.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Anastasia Belova abelova@astralinux.ru
---
Backport fix for CVE-2022-49938
 fs/cifs/smb2pdu.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 4197096e7fdb..fa75dc0a372d 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -883,23 +883,24 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
    } else if (rc != 0)
    	goto neg_exit;
+	rc = -EIO;
    if (strcmp(server->vals->version_string,
    	   SMB3ANY_VERSION_STRING) == 0) {
    	if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
    		cifs_server_dbg(VFS,
    			"SMB2 dialect returned but not requested\n");
-			return -EIO;
+			goto neg_exit;
    	} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
    		cifs_server_dbg(VFS,
    			"SMB2.1 dialect returned but not requested\n");
-			return -EIO;
+			goto neg_exit;
    	}
    } else if (strcmp(server->vals->version_string,
    	   SMBDEFAULT_VERSION_STRING) == 0) {
    	if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
    		cifs_server_dbg(VFS,
    			"SMB2 dialect returned but not requested\n");
-			return -EIO;
+			goto neg_exit;
    	} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
    		/* ops set to 3.0 by default for default so update */
    		server->ops = &smb21_operations;
@@ -913,7 +914,7 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
    	/* if requested single dialect ensure returned dialect matched */
    	cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
    			le16_to_cpu(rsp->DialectRevision));
-		return -EIO;
+		goto neg_exit;
    }
cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
@@ -931,9 +932,10 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
    else {
    	cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
    			le16_to_cpu(rsp->DialectRevision));
-		rc = -EIO;
    	goto neg_exit;
    }
+
+	rc = 0;
    server->dialect = le16_to_cpu(rsp->DialectRevision);
/*
-- 
2.43.0



    