diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2025-03-14 18:21:47 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-04-10 14:39:38 +0200 |
| commit | 29b946714d6aa77de54c71243bba39469ac43ef2 (patch) | |
| tree | b04399908a2fc24e4b99f4dd855101addbca4e61 | |
| parent | 9bc3299039d2c10d4fff7650ac17e415e87a862c (diff) | |
| download | linux-29b946714d6aa77de54c71243bba39469ac43ef2.tar.gz linux-29b946714d6aa77de54c71243bba39469ac43ef2.tar.bz2 linux-29b946714d6aa77de54c71243bba39469ac43ef2.zip | |
ksmbd: add bounds check for durable handle context
commit 542027e123fc0bfd61dd59e21ae0ee4ef2101b29 upstream.
Add missing bounds check for durable handle context.
Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/smb/server/smb2pdu.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 5b94d90870b0..1c7433aaad29 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2699,6 +2699,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work, goto out; } + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_durable_reconn_v2_req)) { + err = -EINVAL; + goto out; + } + recon_v2 = (struct create_durable_reconn_v2_req *)context; persistent_id = recon_v2->Fid.PersistentFileId; dh_info->fp = ksmbd_lookup_durable_fd(persistent_id); @@ -2732,6 +2739,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work, goto out; } + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_durable_reconn_req)) { + err = -EINVAL; + goto out; + } + recon = (struct create_durable_reconn_req *)context; persistent_id = recon->Data.Fid.PersistentFileId; dh_info->fp = ksmbd_lookup_durable_fd(persistent_id); @@ -2757,6 +2771,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work, goto out; } + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_durable_req_v2)) { + err = -EINVAL; + goto out; + } + durable_v2_blob = (struct create_durable_req_v2 *)context; ksmbd_debug(SMB, "Request for durable v2 open\n"); |