Commit 61dc2a2e authored Jan 06, 2023 by Marios Makassikis Committed by Zheng Zengkai Jan 06, 2023

ksmbd: validate length in smb2_write()

mainline inclusion
from mainline-v5.18-rc6
commit 158a66b2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I67AMR
CVE: CVE-2022-47940

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=158a66b245739e15858de42c0ba60fcf3de9b8e6



--------------------------------

The SMB2 Write packet contains data that is to be written
to a file or to a pipe. Depending on the client, there may
be padding between the header and the data field.
Currently, the length is validated only in the case padding
is present.

Since the DataOffset field always points to the beginning
of the data, there is no need to have a special case for
padding. By removing this, the length is validated in both
cases.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

conflicts:
	fs/ksmbd/smb2pdu.c

Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 5a5e896a

Show whitespace changes

Inline Side-by-side

Please to comment