diff options
| author | Norbert Szetei <norbert@doyensec.com> | 2025-03-29 16:06:01 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-04-10 14:33:43 +0200 |
| commit | 3ac65de111c686c95316ade660f8ba7aea3cd3cc (patch) | |
| tree | 7b0c3516067892cf52f3865a2102273cc19b9360 | |
| parent | 596407adb9af1ee75fe7c7529607783d31b66e7f (diff) | |
| download | linux-3ac65de111c686c95316ade660f8ba7aea3cd3cc.tar.gz linux-3ac65de111c686c95316ade660f8ba7aea3cd3cc.tar.bz2 linux-3ac65de111c686c95316ade660f8ba7aea3cd3cc.zip | |
ksmbd: validate zero num_subauth before sub_auth is accessed
commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 upstream.
Access psid->sub_auth[psid->num_subauth - 1] without checking
if num_subauth is non-zero leads to an out-of-bounds read.
This patch adds a validation step to ensure num_subauth != 0
before sub_auth is accessed.
Cc: stable@vger.kernel.org
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/smb/server/smbacl.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index 3adab8e10a21..90c5e3edbf46 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -270,6 +270,11 @@ static int sid_to_id(struct user_namespace *user_ns, return -EIO; } + if (psid->num_subauth == 0) { + pr_err("%s: zero subauthorities!\n", __func__); + return -EIO; + } + if (sidtype == SIDOWNER) { kuid_t uid; uid_t id; |