summaryrefslogtreecommitdiff
path: root/fs/smb/server/auth.c
diff options
context:
space:
mode:
authorSean Heelan <seanheelan@gmail.com>2025-04-19 19:59:28 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2025-05-09 09:50:35 +0200
commite18c616718018dfc440e4a2d2b94e28fe91b1861 (patch)
tree67023c957b8df91159afb155d03daecbf171a40d /fs/smb/server/auth.c
parent8fb3b6c85b7e3127161623586b62abcc366caa20 (diff)
ksmbd: fix use-after-free in kerberos authentication
commit e86e9134e1d1c90a960dd57f59ce574d27b9a124 upstream. Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL. Cc: stable@vger.kernel.org Signed-off-by: Sean Heelan <seanheelan@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/smb/server/auth.c')
-rw-r--r--fs/smb/server/auth.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
index 83caa38497493..b3d121052408c 100644
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -550,7 +550,19 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob,
retval = -ENOMEM;
goto out;
}
- sess->user = user;
+
+ if (!sess->user) {
+ /* First successful authentication */
+ sess->user = user;
+ } else {
+ if (!ksmbd_compare_user(sess->user, user)) {
+ ksmbd_debug(AUTH, "different user tried to reuse session\n");
+ retval = -EPERM;
+ ksmbd_free_user(user);
+ goto out;
+ }
+ ksmbd_free_user(user);
+ }
memcpy(sess->sess_key, resp->payload, resp->session_key_len);
memcpy(out_blob, resp->payload + resp->session_key_len,
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-11 21:32:09 +0000