Commit 79ed288c authored Aug 06, 2023 by Namjae Jeon Committed by Steve French Aug 05, 2023

ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()



There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request
from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of
current smb2_ea_info. ksmbd need to validate buffer length Before
accessing the next ea. ksmbd should check buffer length using buf_len,
not next variable. next is the start offset of current ea that got from
previous ea.

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21598
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 5aa4fda5

fs/smb/server/smb2pdu.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -2324,9 +2324,16 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, unsigned int buf_len,
		break;
		buf_len -= next;
		eabuf = (struct smb2_ea_info )((char )eabuf + next);
		if (next < (u32)eabuf->EaNameLength + le16_to_cpu(eabuf->EaValueLength))
		if (buf_len < sizeof(struct smb2_ea_info)) {
		rc = -EINVAL;
		break;
		}

		if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
		le16_to_cpu(eabuf->EaValueLength)) {
		rc = -EINVAL;
		break;
		}
		} while (next != 0);

		kfree(attr_name);