Message ID | 20240103121241.1723794-3-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Focal,Jammy] smb: client: fix OOB in smbCalcSize() | expand |
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index 5e4dab5dfb7a..33328eae03d7 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -340,6 +340,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */