Commit 2ae1a6cc authored by Namjae Jeon's avatar Namjae Jeon
Browse files

cifsd: fix potential read overflow in ksmbd_vfs_stream_read() 



If *pos or *pos + count is greater than v_len, It will read beyond
the stream_buf buffer. This patch add the check and cut down count with
size of the buffer.

Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent fd6de099

fs/cifsd/vfs.c

+11 −1
Original line number Diff line number Diff line
@@ -285,9 +285,19 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, 
	if ((int)v_len <= 0)

		return (int)v_len;



	if (v_len <= *pos) {

		count = -EINVAL;

		goto free_buf;

	}



	if (v_len - *pos < count)

		count = v_len - *pos;



	memcpy(buf, &stream_buf[*pos], count);



free_buf:

	kvfree(stream_buf);

	return v_len > count ? count : v_len;

	return count;

}



/**