smb: client: Reset all search buffer pointers when releasing buffer

Multiple pointers in struct cifs_search_info (ntwrk_buf_start, srch_entries_start, and last_entry) point to the same allocated buffer. However, when freeing this buffer, only ntwrk_buf_start was set to NULL, while the other pointers remained pointing to freed memory. This is defensive programming to prevent potential issues with stale pointers. While the active UAF vulnerability is fixed by the previous patch, this change ensures consistent pointer state and more robust error handling. Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com> Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Wang Zhaolong <wangzhaolong1@huawei.com> 2025-05-16 17:12:56 +0800
committer: Steve French <stfrench@microsoft.com> 2025-05-19 20:29:06 -0500
commit: e48f9d849bfdec276eebf782a84fd4dfbe1c14c0 (patch)
tree: ef8e46b1b3f3ac9f43bc4e6f2266fd0db1450b56
parent: a7a8fe56e932a36f43e031b398aef92341bf5ea0 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/smb/client/readdir.c b/fs/smb/client/readdir.c
index 67d7dd64b5e2..787d6bcb5d1d 100644
--- a/fs/smb/client/readdir.c
+++ b/fs/smb/client/readdir.c
@@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
 			else
 				cifs_buf_release(cfile->srch_inf.
 						ntwrk_buf_start);
+			/* Reset all pointers to the network buffer to prevent stale references */
 			cfile->srch_inf.ntwrk_buf_start = NULL;
+			cfile->srch_inf.srch_entries_start = NULL;
+			cfile->srch_inf.last_entry = NULL;
 		}
 		rc = initiate_cifs_search(xid, file, full_path);
 		if (rc) {
author	Wang Zhaolong <wangzhaolong1@huawei.com>	2025-05-16 17:12:56 +0800
committer	Steve French <stfrench@microsoft.com>	2025-05-19 20:29:06 -0500
commit	e48f9d849bfdec276eebf782a84fd4dfbe1c14c0 (patch)
tree	ef8e46b1b3f3ac9f43bc4e6f2266fd0db1450b56
parent	a7a8fe56e932a36f43e031b398aef92341bf5ea0 (diff)