Unverified Commit 75cd4528 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!1596 ksmbd: fix out-of-bound read in deassemble_neg_contexts() 

Merge Pull Request from: @ci-robot 
 
PR sync from: Li Lingfeng <lilingfeng3@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MKD6POKWLXC45KXPZXCZ7N52MPOZMNAR/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7LU2Q 
 
Link:https://gitee.com/openeuler/kernel/pulls/1596

 

Reviewed-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents a1c988d0 5df19222

fs/ksmbd/smb2pdu.c

+6 −7
Original line number Diff line number Diff line
@@ -970,13 +970,13 @@ static void decode_sign_cap_ctxt(struct ksmbd_conn *conn, 


static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,

				      struct smb2_negotiate_req *req,

				      int len_of_smb)

				      unsigned int len_of_smb)

{

	/* +4 is to account for the RFC1001 len field */

	struct smb2_neg_context *pctx = (struct smb2_neg_context *)req;

	int i = 0, len_of_ctxts;

	int offset = le32_to_cpu(req->NegotiateContextOffset);

	int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount);

	unsigned int offset = le32_to_cpu(req->NegotiateContextOffset);

	unsigned int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount);

	__le32 status = STATUS_INVALID_PARAMETER;



	ksmbd_debug(SMB, "decoding %d negotiate contexts\n", neg_ctxt_cnt);
@@ -994,7 +994,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, 
		if (len_of_ctxts == 0)

			break;



		if (len_of_ctxts < sizeof(struct smb2_neg_context))

		if (len_of_ctxts < (int)sizeof(struct smb2_neg_context))

			break;



		pctx = (struct smb2_neg_context *)((char *)pctx + offset);
@@ -1045,9 +1045,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, 
		}



		/* offsets must be 8 byte aligned */

		clen = (clen + 7) & ~0x7;

		offset = clen + sizeof(struct smb2_neg_context);

		len_of_ctxts -= clen + sizeof(struct smb2_neg_context);

		offset = (clen + sizeof(struct smb2_neg_context) + 7) & ~0x7;

		len_of_ctxts -= offset;

	}

	return status;

}