Commit 44ed0921 authored Apr 28, 2024 by Dan Carpenter Committed by Long Li Apr 28, 2024

cifs: fix underflow in parse_server_interfaces()

mainline inclusion
from mainline-v6.8-rc4
commit cffe487026be13eaf37ea28b783d9638ab147204
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJRD
CVE: CVE-2024-26828

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cffe487026be13eaf37ea28b783d9638ab147204



--------------------------------

In this loop, we step through the buffer and after each item we check
if the size_left is greater than the minimum size we need.  However,
the problem is that "bytes_left" is type ssize_t while sizeof() is type
size_t.  That means that because of type promotion, the comparison is
done as an unsigned and if we have negative bytes left the loop
continues instead of ending.

Fixes: fe856be4 ("CIFS: parse and store info on iface queries")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

Conflict:
	fs/cifs/smb2ops.c

Signed-off-by: Long Li <leo.lilong@huawei.com>

parent 5d7f26cf

fs/cifs/smb2ops.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -351,7 +351,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,

		bytes_left = buf_len;
		p = buf;
		while (bytes_left >= sizeof(*p)) {
		while (bytes_left >= (ssize_t)sizeof(*p)) {
		nb_iface++;
		next = le32_to_cpu(p->Next);
		if (!next) {
		@@ -385,7 +385,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
		info = *iface_list;
		bytes_left = buf_len;
		p = buf;
		while (bytes_left >= sizeof(*p)) {
		while (bytes_left >= (ssize_t)sizeof(*p)) {
		info->speed = le64_to_cpu(p->LinkSpeed);
		info->rdma_capable = le32_to_cpu(p->Capability & RDMA_CAPABLE);
		info->rss_capable = le32_to_cpu(p->Capability & RSS_CAPABLE);