Commit 3941acb0 authored by Marios Makassikis's avatar Marios Makassikis Committed by Zhong Jinghua
Browse files

ksmbd: Fix buffer length check in fsctl_validate_negotiate_info() 

mainline inclusion
from mainline-5.16-rc1
commit 78f1688a
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G
CVE: NA

Reference: https://git.kernel.org/torvalds/linux/c/78f1688a64cc



-------------------------------

The validate_negotiate_info_req struct definition includes an extra
field to access the data coming after the header. This causes the check
in fsctl_validate_negotiate_info() to count the first element of the
array twice. This in turn makes some valid requests fail, depending on
whether they include padding or not.

Fixes: f7db8fd0 ("ksmbd: add validation in smb2_ioctl")
Cc: stable@vger.kernel.org # v5.15
Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Acked-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarMarios Makassikis <mmakassikis@freebox.fr>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Signed-off-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZhong Jinghua <zhongjinghua@huawei.com>
parent 23d8d451
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment