diff options
| author | Jordy Zomer <jordyzomer@google.com> | 2024-11-28 09:32:45 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-12-14 20:03:20 +0100 |
| commit | 81eed631935f2c52cdaf6691c6d48e0b06e8ad73 (patch) | |
| tree | 735a8a0d71b2ca9fafb11fdf445bf5a2a4a6f413 /fs/smb | |
| parent | 1aece9662013c4e24a678e9145e5195e2bf326ae (diff) | |
| download | linux-81eed631935f2c52cdaf6691c6d48e0b06e8ad73.tar.gz linux-81eed631935f2c52cdaf6691c6d48e0b06e8ad73.tar.bz2 linux-81eed631935f2c52cdaf6691c6d48e0b06e8ad73.zip | |
ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
commit fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 upstream.
An offset from client could be a negative value, It could lead
to an out-of-bounds read from the stream_buf.
Note that this issue is coming when setting
'vfs objects = streams_xattr parameter' in ksmbd.conf.
Cc: stable@vger.kernel.org # v5.15+
Reported-by: Jordy Zomer <jordyzomer@google.com>
Signed-off-by: Jordy Zomer <jordyzomer@google.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/smb')
| -rw-r--r-- | fs/smb/server/smb2pdu.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 599118aed205..ce6dff5c7d74 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -6651,6 +6651,10 @@ int smb2_read(struct ksmbd_work *work) } offset = le64_to_cpu(req->Offset); + if (offset < 0) { + err = -EINVAL; + goto out; + } length = le32_to_cpu(req->Length); mincount = le32_to_cpu(req->MinimumCount); |