Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- Two fixes for use after free in readdir code paths
* tag '6.15-rc8-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
smb: client: Reset all search buffer pointers when releasing buffer
smb: client: Fix use-after-free in cifs_fill_dirent
+5
-2
+5
-2
fs/smb/client/readdir.c
+5
-2
fs/smb/client/readdir.c
···
733
733
else
734
734
cifs_buf_release(cfile->srch_inf.
735
735
ntwrk_buf_start);
736
+
/* Reset all pointers to the network buffer to prevent stale references */
736
737
cfile->srch_inf.ntwrk_buf_start = NULL;
738
+
cfile->srch_inf.srch_entries_start = NULL;
739
+
cfile->srch_inf.last_entry = NULL;
737
740
}
738
741
rc = initiate_cifs_search(xid, file, full_path);
739
742
if (rc) {
···
759
756
rc = server->ops->query_dir_next(xid, tcon, &cfile->fid,
760
757
search_flags,
761
758
&cfile->srch_inf);
759
+
if (rc)
760
+
return -ENOENT;
762
761
/* FindFirst/Next set last_entry to NULL on malformed reply */
763
762
if (cfile->srch_inf.last_entry)
764
763
cifs_save_resume_key(cfile->srch_inf.last_entry, cfile);
765
-
if (rc)
766
-
return -ENOENT;
767
764
}
768
765
if (index_to_find < cfile->srch_inf.index_of_last_entry) {
769
766
/* we found the buffer that contains the entry */