Commit 2d435efc authored by Namjae Jeon's avatar Namjae Jeon Committed by Long Li
Browse files

ksmbd: validate request buffer size in smb2_allocate_rsp_buf() 

mainline inclusion
from mainline-v6.9-rc4
commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI
CVE: CVE-2024-26936

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=17cf0c2794bdb6f39671265aa18aea5c22ee8c4a



--------------------------------

The response buffer should be allocated in smb2_allocate_rsp_buf
before validating request. But the fields in payload as well as smb2 header
is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
validation to avoid potencial out-of-bounds in request buffer.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Conflicts:
	fs/smb/server/smb2pdu.c
	fs/ksmbd/smb2pdu.c
[lc:file path is not same]
Signed-off-by: default avatarLong Li <leo.lilong@huawei.com>
parent a1125812

fs/ksmbd/smb2pdu.c

+4 −0
Original line number Diff line number Diff line
@@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) 
	if (cmd == SMB2_QUERY_INFO_HE) {

		struct smb2_query_info_req *req;



		if (get_rfc1002_len(work->request_buf) <

			offsetof(struct smb2_query_info_req, OutputBufferLength))

			return -EINVAL;



		req = smb2_get_msg(work->request_buf);

		if ((req->InfoType == SMB2_O_INFO_FILE &&

		     (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||