diff options
| author | Norbert Szetei <norbert@doyensec.com> | 2025-03-15 12:19:28 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-04-10 14:33:42 +0200 |
| commit | 629dd37acc336ad778979361c351e782053ea284 (patch) | |
| tree | a16445cf4f7e11a149eb10e262c1a98470823531 /fs | |
| parent | 8857a956f701aad3c94b59f9abe2854126d2a04b (diff) | |
| download | linux-629dd37acc336ad778979361c351e782053ea284.tar.gz linux-629dd37acc336ad778979361c351e782053ea284.tar.bz2 linux-629dd37acc336ad778979361c351e782053ea284.zip | |
ksmbd: add bounds check for create lease context
commit bab703ed8472aa9d109c5f8c1863921533363dae upstream.
Add missing bounds check for create lease context.
Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/smb/server/oplock.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c index b29e78b517bf..a3c016a11e27 100644 --- a/fs/smb/server/oplock.c +++ b/fs/smb/server/oplock.c @@ -1534,6 +1534,10 @@ struct lease_ctx_info *parse_lease_state(void *open_req, bool is_dir) if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) { struct create_lease_v2 *lc = (struct create_lease_v2 *)cc; + if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) < + sizeof(struct create_lease_v2) - 4) + return NULL; + memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE); if (is_dir) { lreq->req_state = lc->lcontext.LeaseState & @@ -1551,6 +1555,10 @@ struct lease_ctx_info *parse_lease_state(void *open_req, bool is_dir) } else { struct create_lease *lc = (struct create_lease *)cc; + if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) < + sizeof(struct create_lease)) + return NULL; + memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE); lreq->req_state = lc->lcontext.LeaseState; lreq->flags = lc->lcontext.LeaseFlags; |