From: Colin Ian King <colin.king@canonical.com> mainline inclusion from mainline-5.15-rc1 commit 5fb68864674faa3e0a4fc767c4a87f51ece218c6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/5fb68864674f ------------------------------- Currently function ksmbd_neg_token_init_mech_type can kfree an uninitialized pointer oid when the call to asn1_oid_decode fails when vlen is out of range. All the other failure cases in function asn1_oid_decode set *oid to NULL on an error, so fix the issue by ensuring the vlen out of range error also nullifies the pointer. Addresses-Coverity: ("Uninitialized pointer read") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Jason Yan <yanaijie@huawei.com> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> --- fs/cifsd/asn1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifsd/asn1.c b/fs/cifsd/asn1.c index 2c63a3e5618b..b014f4638610 100644 --- a/fs/cifsd/asn1.c +++ b/fs/cifsd/asn1.c @@ -66,7 +66,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, vlen += 1; if (vlen < 2 || vlen > UINT_MAX / sizeof(unsigned long)) - return false; + goto fail_nullify; *oid = kmalloc(vlen * sizeof(unsigned long), GFP_KERNEL); if (!*oid) @@ -102,6 +102,7 @@ static bool asn1_oid_decode(const unsigned char *value, size_t vlen, fail: kfree(*oid); +fail_nullify: *oid = NULL; return false; } -- 2.31.1