ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc

gregkh · smfrench · commit ad0057fb9121 · 2026-04-12T18:07:55.000-05:00
The kernel ASN.1 BER decoder calls action callbacks incrementally as it
walks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken
[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates
conn-&gt;mechToken immediately via kmemdup_nul().  If a later element in
the same blob is malformed, then the decoder will return nonzero after
the allocation is already live.  This could happen if mechListMIC [3]
overrunse the enclosing SEQUENCE.

decode_negotiation_token() then sets conn-&gt;use_spnego = false because
both the negTokenInit and negTokenTarg grammars failed.  The cleanup at
the bottom of smb2_sess_setup() is gated on use_spnego:

	if (conn-&gt;use_spnego &amp;&amp; conn-&gt;mechToken) {
		kfree(conn-&gt;mechToken);
		conn-&gt;mechToken = NULL;
	}

so the kfree is skipped, causing the mechToken to never be freed.

This codepath is reachable pre-authentication, so untrusted clients can
cause slow memory leaks on a server without even being properly
authenticated.

Fix this up by not checking check for use_spnego, as it's not required,
so the memory will always be properly freed.  At the same time, always
free the memory in ksmbd_conn_free() incase some other failure path
forgot to free it.

Cc: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Cc: Steve French &lt;smfrench@gmail.com&gt;
Cc: Sergey Senozhatsky &lt;senozhatsky@chromium.org&gt;
Cc: Tom Talpey &lt;tom@talpey.com&gt;
Cc: linux-cifs@vger.kernel.org
Cc: &lt;stable@kernel.org&gt;
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Acked-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
@@ -96,6 +96,7 @@ void ksmbd_conn_free(struct ksmbd_conn *conn)
 	xa_destroy(&conn->sessions);
 	kvfree(conn->request_buf);
 	kfree(conn->preauth_info);
+	kfree(conn->mechToken);
 	if (atomic_dec_and_test(&conn->refcnt)) {
 		conn->transport->ops->free_transport(conn->transport);
 		kfree(conn);
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
@@ -1915,7 +1915,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
 	else if (rc)
 		rsp->hdr.Status = STATUS_LOGON_FAILURE;
 
-	if (conn->use_spnego && conn->mechToken) {
+	if (conn->mechToken) {
 		kfree(conn->mechToken);
 		conn->mechToken = NULL;
 	}

Original file line number	Diff line number	Diff line change
`@@ -1915,7 +1915,7 @@ int smb2_sess_setup(struct ksmbd_work *work)`
`1915`	`1915`	`else if (rc)`
`1916`	`1916`	`rsp->hdr.Status = STATUS_LOGON_FAILURE;`
`1917`	`1917`
`1918`		`- if (conn->use_spnego && conn->mechToken) {`
	`1918`	`+ if (conn->mechToken) {`
`1919`	`1919`	`kfree(conn->mechToken);`
`1920`	`1920`	`conn->mechToken = NULL;`
`1921`	`1921`	`}`