| Message ID | 20240119040829.18428-1-pc@manguebit.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/4] smb: client: fix parsing of SMB3.1.1 POSIX create context | expand |
merged this 4 patch series into cifs-2.6.git for-next pending additional review and testing On Thu, Jan 18, 2024 at 10:08 PM Paulo Alcantara <pc@manguebit.com> wrote: > > The data offset for the SMB3.1.1 POSIX create context will always be > 8-byte aligned so having the check 'noff + nlen >= doff' in > smb2_parse_contexts() is wrong as it will lead to -EINVAL because noff > + nlen == doff. > > Fix the sanity check to correctly handle aligned create context data. > > Fixes: af1689a9b770 ("smb: client: fix potential OOBs in smb2_parse_contexts()") > Signed-off-by: Paulo Alcantara <pc@manguebit.com> > --- > fs/smb/client/smb2pdu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c > index 44abd4deb9eb..288199f0b987 100644 > --- a/fs/smb/client/smb2pdu.c > +++ b/fs/smb/client/smb2pdu.c > @@ -2308,7 +2308,7 @@ int smb2_parse_contexts(struct TCP_Server_Info *server, > > noff = le16_to_cpu(cc->NameOffset); > nlen = le16_to_cpu(cc->NameLength); > - if (noff + nlen >= doff) > + if (noff + nlen > doff) > return -EINVAL; > > name = (char *)cc + noff; > -- > 2.43.0 >
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 44abd4deb9eb..288199f0b987 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -2308,7 +2308,7 @@ int smb2_parse_contexts(struct TCP_Server_Info *server, noff = le16_to_cpu(cc->NameOffset); nlen = le16_to_cpu(cc->NameLength); - if (noff + nlen >= doff) + if (noff + nlen > doff) return -EINVAL; name = (char *)cc + noff;
The data offset for the SMB3.1.1 POSIX create context will always be 8-byte aligned so having the check 'noff + nlen >= doff' in smb2_parse_contexts() is wrong as it will lead to -EINVAL because noff + nlen == doff. Fix the sanity check to correctly handle aligned create context data. Fixes: af1689a9b770 ("smb: client: fix potential OOBs in smb2_parse_contexts()") Signed-off-by: Paulo Alcantara <pc@manguebit.com> --- fs/smb/client/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)