diff options
| author | Joshua Rogers <linux@joshua.hu> | 2025-11-07 00:09:37 +0800 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2025-11-07 10:15:43 -0600 |
| commit | 4012abe8a78fbb8869634130024266eaef7081fe (patch) | |
| tree | 45dd4c2e376debf671f20d08041b2476b9338192 | |
| parent | b540de9e3b4fab3b9e10f30714a6f5c1b2a50ec3 (diff) | |
| download | linux-4012abe8a78fbb8869634130024266eaef7081fe.tar.gz linux-4012abe8a78fbb8869634130024266eaef7081fe.tar.bz2 linux-4012abe8a78fbb8869634130024266eaef7081fe.zip | |
smb: client: validate change notify buffer before copy
SMB2_change_notify called smb2_validate_iov() but ignored the return
code, then kmemdup()ed using server provided OutputBufferOffset/Length.
Check the return of smb2_validate_iov() and bail out on error.
Discovered with help from the ZeroPath security tooling.
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: stable@vger.kernel.org
Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support")
Signed-off-by: Steve French <stfrench@microsoft.com>
| -rw-r--r-- | fs/smb/client/smb2pdu.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index b0739a2661bf..8b4a4573e9c3 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -4054,9 +4054,12 @@ replay_again: smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base; - smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), - le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov, + rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), + le32_to_cpu(smb_rsp->OutputBufferLength), + &rsp_iov, sizeof(struct file_notify_information)); + if (rc) + goto cnotify_exit; *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset), le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL); |