61 lines
1.8 KiB
Diff
61 lines
1.8 KiB
Diff
From 750b72183e7f3d9dc775540cee41c0c06d2c1da4 Mon Sep 17 00:00:00 2001
|
|
From: Namjae Jeon <linkinjeon@kernel.org>
|
|
Date: Fri, 14 Mar 2025 18:21:47 +0900
|
|
Subject: ksmbd: add bounds check for durable handle context
|
|
|
|
Add missing bounds check for durable handle context.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
|
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
|
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
|
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
---
|
|
fs/smb/server/smb2pdu.c | 21 +++++++++++++++++++++
|
|
1 file changed, 21 insertions(+)
|
|
|
|
--- a/fs/smb/server/smb2pdu.c
|
|
+++ b/fs/smb/server/smb2pdu.c
|
|
@@ -2708,6 +2708,13 @@ static int parse_durable_handle_context(
|
|
goto out;
|
|
}
|
|
|
|
+ if (le16_to_cpu(context->DataOffset) +
|
|
+ le32_to_cpu(context->DataLength) <
|
|
+ sizeof(struct create_durable_reconn_v2_req)) {
|
|
+ err = -EINVAL;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
recon_v2 = (struct create_durable_reconn_v2_req *)context;
|
|
persistent_id = recon_v2->Fid.PersistentFileId;
|
|
dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
|
|
@@ -2741,6 +2748,13 @@ static int parse_durable_handle_context(
|
|
goto out;
|
|
}
|
|
|
|
+ if (le16_to_cpu(context->DataOffset) +
|
|
+ le32_to_cpu(context->DataLength) <
|
|
+ sizeof(struct create_durable_reconn_req)) {
|
|
+ err = -EINVAL;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
recon = (struct create_durable_reconn_req *)context;
|
|
persistent_id = recon->Data.Fid.PersistentFileId;
|
|
dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
|
|
@@ -2765,6 +2779,13 @@ static int parse_durable_handle_context(
|
|
err = -EINVAL;
|
|
goto out;
|
|
}
|
|
+
|
|
+ if (le16_to_cpu(context->DataOffset) +
|
|
+ le32_to_cpu(context->DataLength) <
|
|
+ sizeof(struct create_durable_req_v2)) {
|
|
+ err = -EINVAL;
|
|
+ goto out;
|
|
+ }
|
|
|
|
durable_v2_blob =
|
|
(struct create_durable_req_v2 *)context;
|