diff options
author | Namjae Jeon | 2023-06-15 22:04:40 +0900 |
---|---|---|
committer | Greg Kroah-Hartman | 2023-06-28 11:12:18 +0200 |
commit | c86211159bc3178b891e0d60e586a32c7b6a231b (patch) | |
tree | 4762b6a24dc1e541d4bd46824190f3b40ae096ca | |
parent | 9650cf70ec9d94ff34daa088b643229231723c26 (diff) |
ksmbd: fix out-of-bound read in smb2_write
commit 5fe7f7b78290638806211046a99f031ff26164e1 upstream.
ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If
->NextCommand is bigger than Offset + Length of smb2 write, It will
allow oversized smb2 write length. It will cause OOB read in smb2_write.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21164
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | fs/ksmbd/smb2misc.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 57749f41b991..33b7e6c4ceff 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -351,10 +351,16 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) int command; __u32 clc_len; /* calculated length */ __u32 len = get_rfc1002_len(work->request_buf); - __u32 req_struct_size; + __u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand); - if (le32_to_cpu(hdr->NextCommand) > 0) - len = le32_to_cpu(hdr->NextCommand); + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) { + pr_err("next command(%u) offset exceeds smb msg size\n", + next_cmd); + return 1; + } + + if (next_cmd > 0) + len = next_cmd; else if (work->next_smb2_rcv_hdr_off) len -= work->next_smb2_rcv_hdr_off; |