44 lines
1.7 KiB
Diff
44 lines
1.7 KiB
Diff
From adbf65091f5ac103ae5339bd49549b147906a0c0 Mon Sep 17 00:00:00 2001
|
|
From: Denis Arefev <arefev@swemel.ru>
|
|
Date: Wed, 9 Apr 2025 12:04:49 +0300
|
|
Subject: ksmbd: Prevent integer overflow in calculation of deadtime
|
|
|
|
The user can set any value for 'deadtime'. This affects the arithmetic
|
|
expression 'req->deadtime * SMB_ECHO_INTERVAL', which is subject to
|
|
overflow. The added check makes the server behavior more predictable.
|
|
|
|
Found by Linux Verification Center (linuxtesting.org) with SVACE.
|
|
|
|
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Denis Arefev <arefev@swemel.ru>
|
|
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
|
|
Signed-off-by: Steve French <stfrench@microsoft.com>
|
|
---
|
|
fs/smb/server/transport_ipc.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
--- a/fs/smb/server/transport_ipc.c
|
|
+++ b/fs/smb/server/transport_ipc.c
|
|
@@ -310,7 +310,11 @@ static int ipc_server_config_on_startup(
|
|
server_conf.signing = req->signing;
|
|
server_conf.tcp_port = req->tcp_port;
|
|
server_conf.ipc_timeout = req->ipc_timeout * HZ;
|
|
- server_conf.deadtime = req->deadtime * SMB_ECHO_INTERVAL;
|
|
+ if (check_mul_overflow(req->deadtime, SMB_ECHO_INTERVAL,
|
|
+ &server_conf.deadtime)) {
|
|
+ ret = -EINVAL;
|
|
+ goto out;
|
|
+ }
|
|
server_conf.share_fake_fscaps = req->share_fake_fscaps;
|
|
ksmbd_init_domain(req->sub_auth);
|
|
|
|
@@ -337,6 +341,7 @@ static int ipc_server_config_on_startup(
|
|
server_conf.bind_interfaces_only = req->bind_interfaces_only;
|
|
ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req),
|
|
req->ifc_list_sz);
|
|
+out:
|
|
if (ret) {
|
|
pr_err("Server configuration error: %s %s %s\n",
|
|
req->netbios_name, req->server_string,
|