raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 01:49:46 +00:00
Code Issues Projects Releases Wiki Activity

ksmbd: close accepted socket when per-IP limit rejects connection

Browse Source 
commit 98a5fd31cb upstream.

When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.

Release client_sk before continuing.

This bug was found with ZeroPath.

Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Joshua Rogers
2025-11-08 22:59:23 +08:00
committed by Greg Kroah-Hartman
parent 592b3b203a
commit 4587a7826b
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
fs/smb/server/transport_tcp.c
View File

@@ -286,8 +286,11 @@ static int ksmbd_kthread_fn(void *p)
}
}
up_read(&conn_list_lock);
if (ret == -EAGAIN)
if (ret == -EAGAIN) {
/* Per-IP limit hit: release the just-accepted socket. */
sock_release(client_sk);
continue;
}
skip_max_ip_conns_limit:
if (server_conf.max_connections &&