!4299 smb: client: fix NULL deref in asn1_ber_decoder() (2fd8a588) · Commits · EulixOS / Software / Kernel

fs/cifs/smb2misc.c

+10 −16

Original line number	Diff line number	Diff line
		@@ -302,6 +302,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
		char *
		smb2_get_data_area_len(int off, int len, struct smb2_sync_hdr *shdr)
		{
		const int max_off = 4096;
		const int max_len = 128 * 1024;

		*off = 0;
		*len = 0;

		@@ -369,28 +372,19 @@ smb2_get_data_area_len(int off, int len, struct smb2_sync_hdr *shdr)
		* Invalid length or offset probably means data area is invalid, but
		* we have little choice but to ignore the data area in this case.
		*/
		if (*off > 4096) {
		cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
		*len = 0;
		*off = 0;
		} else if (*off < 0) {
		cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
		*off);
		if (unlikely(off < 0 \|\| off > max_off \|\|
		len < 0 \|\| len > max_len)) {
		cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n",
		__func__, off, len);
		*off = 0;
		*len = 0;
		} else if (*len < 0) {
		cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
		*len);
		*len = 0;
		} else if (len > 128 1024) {
		cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
		} else if (*off == 0) {
		*len = 0;
		}

		/* return pointer to beginning of data area, ie offset from SMB start */
		if ((off != 0) && (len != 0))
		if (off > 0 && len > 0)
		return (char )shdr + off;
		else
		return NULL;
		}