summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNamjae Jeon <linkinjeon@kernel.org>2025-02-12 09:32:11 +0900
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2025-03-28 22:03:32 +0100
commita4cb17797a5d241f1e509cb5b46ed95a80c2f5fd (patch)
tree559e6bd0514b3a72da33e34cc14bd91758193fb7
parent731eccbd65aac026770e78279d551e1895572bd0 (diff)
downloadlinux-a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd.tar.gz
linux-a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd.tar.bz2
linux-a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd.zip
ksmbd: fix incorrect validation for num_aces field of smb_acl
commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 upstream. parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actual number of aces in request buffer size. Use this to check invalid num_aces. Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com> Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--fs/smb/server/smbacl.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index da8ed72f335d..109036e2227c 100644
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -398,7 +398,9 @@ static void parse_dacl(struct mnt_idmap *idmap,
if (num_aces <= 0)
return;
- if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
+ if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
+ (offsetof(struct smb_ace, sid) +
+ offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
return;
ret = init_acl_state(&acl_state, num_aces);
@@ -432,6 +434,7 @@ static void parse_dacl(struct mnt_idmap *idmap,
offsetof(struct smb_sid, sub_auth);
if (end_of_acl - acl_base < acl_size ||
+ ppace[i]->sid.num_subauth == 0 ||
ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
(end_of_acl - acl_base <
acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||