Message ID | 20180319110745.GA12001@mwanda |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Series | ncpfs: memory corruption in ncp_read_kernel() | expand |
On Mon, Mar 19, 2018 at 02:07:45PM +0300, Dan Carpenter wrote: > If the server is malicious then *bytes_read could be larger than the > size of the "target" buffer. It would lead to memory corruption when we > do the memcpy(). > > Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > diff --git a/drivers/staging/ncpfs/ncplib_kernel.c b/drivers/staging/ncpfs/ncplib_kernel.c > index 804adfebba2f..3e047eb4cc7c 100644 > --- a/drivers/staging/ncpfs/ncplib_kernel.c > +++ b/drivers/staging/ncpfs/ncplib_kernel.c Ugh, I have like 2 more months before I delete this code :) Anyway, nice find, and fix, I'll go queue it up now, thanks. greg k-h
diff --git a/drivers/staging/ncpfs/ncplib_kernel.c b/drivers/staging/ncpfs/ncplib_kernel.c index 804adfebba2f..3e047eb4cc7c 100644 --- a/drivers/staging/ncpfs/ncplib_kernel.c +++ b/drivers/staging/ncpfs/ncplib_kernel.c @@ -981,6 +981,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, goto out; } *bytes_read = ncp_reply_be16(server, 0); + if (*bytes_read > to_read) { + result = -EINVAL; + goto out; + } source = ncp_reply_data(server, 2 + (offset & 1)); memcpy(target, source, *bytes_read);
If the server is malicious then *bytes_read could be larger than the size of the "target" buffer. It would lead to memory corruption when we do the memcpy(). Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>