Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc  The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input.  When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul().  If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live.  This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE.  decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed.  The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego:  	if (conn->use_spnego && conn->mechToken) { 		kfree(conn->mechToken); 		conn->mechToken = NULL; 	}  so the kfree is skipped, causing the mechToken to never be freed.  This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated.  Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed.  At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it.