42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From df179d4868b57eb8bcd7587559164178f17f0747 Mon Sep 17 00:00:00 2001
|
|
From: Norbert Szetei <norbert@doyensec.com>
|
|
Date: Sat, 15 Mar 2025 12:19:28 +0900
|
|
Subject: ksmbd: add bounds check for create lease context
|
|
|
|
Add missing bounds check for create lease context.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Norbert Szetei <norbert@doyensec.com>
|
|
Tested-by: Norbert Szetei <norbert@doyensec.com>
|
|
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
|
|
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
|
|
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
---
|
|
fs/smb/server/oplock.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
--- a/fs/smb/server/oplock.c
|
|
+++ b/fs/smb/server/oplock.c
|
|
@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state
|
|
if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
|
|
struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
|
|
|
|
+ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
|
|
+ sizeof(struct create_lease_v2) - 4)
|
|
+ return NULL;
|
|
+
|
|
memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
|
|
lreq->req_state = lc->lcontext.LeaseState;
|
|
lreq->flags = lc->lcontext.LeaseFlags;
|
|
@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state
|
|
} else {
|
|
struct create_lease *lc = (struct create_lease *)cc;
|
|
|
|
+ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
|
|
+ sizeof(struct create_lease))
|
|
+ return NULL;
|
|
+
|
|
memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
|
|
lreq->req_state = lc->lcontext.LeaseState;
|
|
lreq->flags = lc->lcontext.LeaseFlags;
|