diff options
| author | Hyunwoo Kim <imv4bel@gmail.com> | 2026-03-17 08:52:01 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-02 13:25:39 +0200 |
| commit | e0e5edc81b241c70355217de7e120c97c3429deb (patch) | |
| tree | 66eb377c7e95aec0580646148c653a6ad1c5d1e3 /sound/hda/controllers/intel.c | |
| parent | aab42f0795620cf0d3955a520f571f697d0f9a2a (diff) | |
ksmbd: do not expire session on binding failure
commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.
When a multichannel session binding request fails (e.g. wrong password),
the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
However, during binding, sess points to the target session looked up via
ksmbd_session_lookup_slowpath() -- which belongs to another connection's
user. This allows a remote attacker to invalidate any active session by
simply sending a binding request with a wrong password (DoS).
Fix this by skipping session expiration when the failed request was
a binding attempt, since the session does not belong to the current
connection. The reference taken by ksmbd_session_lookup_slowpath() is
still correctly released via ksmbd_user_session_put().
Cc: stable@vger.kernel.org
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'sound/hda/controllers/intel.c')
0 files changed, 0 insertions, 0 deletions