ksmbd: validate zero num_subauth before sub_auth is accessed

commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 upstream. Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed. Cc: stable@vger.kernel.org Signed-off-by: Norbert Szetei <norbert@doyensec.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Norbert Szetei <norbert@doyensec.com> 2025-03-29 16:06:01 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-04-10 14:37:43 +0200
commit: 0e36a3e080d6d8bd7a34e089345d043da4ac8283 (patch)
tree: b0cc857d12c6bceabd9ae74b65d1289990a2ea8f
parent: 3980770cb1470054e6400fd97668665975726737 (diff)
download: linux-0e36a3e080d6d8bd7a34e089345d043da4ac8283.tar.gz
linux-0e36a3e080d6d8bd7a34e089345d043da4ac8283.tar.bz2
linux-0e36a3e080d6d8bd7a34e089345d043da4ac8283.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index 109036e2227c..b90f893762f4 100644
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *idmap,
 		return -EIO;
 	}
 
+	if (psid->num_subauth == 0) {
+		pr_err("%s: zero subauthorities!\n", __func__);
+		return -EIO;
+	}
+
 	if (sidtype == SIDOWNER) {
 		kuid_t uid;
 		uid_t id;
author	Norbert Szetei <norbert@doyensec.com>	2025-03-29 16:06:01 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-04-10 14:37:43 +0200
commit	0e36a3e080d6d8bd7a34e089345d043da4ac8283 (patch)
tree	b0cc857d12c6bceabd9ae74b65d1289990a2ea8f
parent	3980770cb1470054e6400fd97668665975726737 (diff)
download	linux-0e36a3e080d6d8bd7a34e089345d043da4ac8283.tar.gz linux-0e36a3e080d6d8bd7a34e089345d043da4ac8283.tar.bz2 linux-0e36a3e080d6d8bd7a34e089345d043da4ac8283.zip