[PATCH 165/308] ksmbd: fix memory leak smb2_populate_readdir_entry()

16 Nov 2022

From: Namjae Jeon <namjae.jeon@samsung.com>

mainline inclusion
from mainline-5.15-rc1
commit dac0ec6e1b4a876abb61b6cd2ec589f8e87e95c9
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G
CVE: NA

Reference: https://git.kernel.org/torvalds/linux/c/dac0ec6e1b4a

-------------------------------

Add missing kfree(conv_name) on error path.

Reported-by: Coverity Scan <scan-admin@coverity.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com>
---
 fs/ksmbd/smb2pdu.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 381ee5a812fc..7f665a82d5b4 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -3266,7 +3266,7 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
 	char *conv_name;
 	int conv_len;
 	void *kstat;
-	int struct_sz;
+	int struct_sz, rc = 0;
 
 	conv_name = ksmbd_convert_dir_info_name(d_info,
 						conn->local_nls,
@@ -3276,8 +3276,8 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
 
 	/* Somehow the name has only terminating NULL bytes */
 	if (conv_len < 0) {
-		kfree(conv_name);
-		return -EINVAL;
+		rc = -EINVAL;
+		goto free_conv_name;
 	}
 
 	struct_sz = readdir_info_level_struct_sz(info_level);
@@ -3286,7 +3286,8 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
 
 	if (next_entry_offset > d_info->out_buf_len) {
 		d_info->out_buf_len = 0;
-		return -ENOSPC;
+		rc = -ENOSPC;
+		goto free_conv_name;
 	}
 
 	kstat = d_info->wptr;
@@ -3428,14 +3429,15 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
 	d_info->data_count += next_entry_offset;
 	d_info->out_buf_len -= next_entry_offset;
 	d_info->wptr += next_entry_offset;
-	kfree(conv_name);
 
 	ksmbd_debug(SMB,
 		    "info_level : %d, buf_len :%d, next_offset : %d, data_count : %d\n",
 		    info_level, d_info->out_buf_len,
 		    next_entry_offset, d_info->data_count);
 
-	return 0;
+free_conv_name:
+	kfree(conv_name);
+	return rc;
 }
 
 struct smb2_query_dir_private {
-- 
2.31.1

    