33 lines
991 B
Diff
33 lines
991 B
Diff
From 0cf6aa54e0b5dbd9b1835a3b9f13a154216a7422 Mon Sep 17 00:00:00 2001
|
|
From: Norbert Szetei <norbert@doyensec.com>
|
|
Date: Sat, 29 Mar 2025 16:06:01 +0000
|
|
Subject: ksmbd: validate zero num_subauth before sub_auth is accessed
|
|
|
|
Access psid->sub_auth[psid->num_subauth - 1] without checking
|
|
if num_subauth is non-zero leads to an out-of-bounds read.
|
|
This patch adds a validation step to ensure num_subauth != 0
|
|
before sub_auth is accessed.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
|
|
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
|
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
---
|
|
fs/smb/server/smbacl.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
--- a/fs/smb/server/smbacl.c
|
|
+++ b/fs/smb/server/smbacl.c
|
|
@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *i
|
|
return -EIO;
|
|
}
|
|
|
|
+ if (psid->num_subauth == 0) {
|
|
+ pr_err("%s: zero subauthorities!\n", __func__);
|
|
+ return -EIO;
|
|
+ }
|
|
+
|
|
if (sidtype == SIDOWNER) {
|
|
kuid_t uid;
|
|
uid_t id;
|