ksmbd: add buffer validation for SMB2_CREATE_CONTEXT

 */

struct create_context *smb2_find_context_vals(void *open_req, const char *tag)

{

	char *data_offset;

	struct create_context *cc;

	unsigned int next = 0;

	char *name;

	struct smb2_create_req *req = (struct smb2_create_req *)open_req;

	unsigned int remain_len, name_off, name_len, value_off, value_len,

		     cc_len;

	data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset);

	cc = (struct create_context *)data_offset;

	/*

	 * CreateContextsOffset and CreateContextsLength are guaranteed to

	 * be valid because of ksmbd_smb2_check_message().

	 */

	cc = (struct create_context *)((char *)req + 4 +

				       le32_to_cpu(req->CreateContextsOffset));

	remain_len = le32_to_cpu(req->CreateContextsLength);

	do {

		int val;

		cc = (struct create_context *)((char *)cc + next);

		name = le16_to_cpu(cc->NameOffset) + (char *)cc;

		val = le16_to_cpu(cc->NameLength);

		if (val < 4)

		if (remain_len < offsetof(struct create_context, Buffer))

			return ERR_PTR(-EINVAL);

		if (memcmp(name, tag, val) == 0)

			return cc;

		next = le32_to_cpu(cc->Next);

		name_off = le16_to_cpu(cc->NameOffset);

		name_len = le16_to_cpu(cc->NameLength);

		value_off = le16_to_cpu(cc->DataOffset);

		value_len = le32_to_cpu(cc->DataLength);

		cc_len = next ? next : remain_len;

		if ((next & 0x7) != 0 ||

		    next > remain_len ||

		    name_off != offsetof(struct create_context, Buffer) ||

		    name_len < 4 ||

		    name_off + name_len > cc_len ||

		    (value_off & 0x7) != 0 ||

		    (value_off && (value_off < name_off + name_len)) ||

		    ((u64)value_off + value_len > cc_len))

			return ERR_PTR(-EINVAL);

		name = (char *)cc + name_off;

		if (memcmp(name, tag, name_len) == 0)

			return cc;

		remain_len -= next;

	} while (next != 0);

	return NULL;

	ksmbd_debug(SMB,

		    "Set ACLs using SMB2_CREATE_SD_BUFFER context\n");

	sd_buf = (struct create_sd_buf_req *)context;

	if (le16_to_cpu(context->DataOffset) +

	    le32_to_cpu(context->DataLength) <

	    sizeof(struct create_sd_buf_req))

		return -EINVAL;

	return set_info_sec(work->conn, work->tcon, path, &sd_buf->ntsd,

			    le32_to_cpu(sd_buf->ccontext.DataLength), true);

}

			goto err_out1;

		} else if (context) {

			ea_buf = (struct create_ea_buf_req *)context;

			if (le16_to_cpu(context->DataOffset) +

			    le32_to_cpu(context->DataLength) <

			    sizeof(struct create_ea_buf_req)) {

				rc = -EINVAL;

				goto err_out1;

			}

			if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) {

				rsp->hdr.Status = STATUS_ACCESS_DENIED;

				rc = -EACCES;

			} else if (context) {

				struct create_posix *posix =

					(struct create_posix *)context;

				if (le16_to_cpu(context->DataOffset) +

				    le32_to_cpu(context->DataLength) <

				    sizeof(struct create_posix)) {

					rc = -EINVAL;

					goto err_out1;

				}

				ksmbd_debug(SMB, "get posix context\n");

				posix_mode = le32_to_cpu(posix->Mode);

			rc = PTR_ERR(az_req);

			goto err_out;

		} else if (az_req) {

			loff_t alloc_size = le64_to_cpu(az_req->AllocationSize);

			loff_t alloc_size;

			int err;

			if (le16_to_cpu(az_req->ccontext.DataOffset) +

			    le32_to_cpu(az_req->ccontext.DataLength) <

			    sizeof(struct create_alloc_size_req)) {

				rc = -EINVAL;

				goto err_out;

			}

			alloc_size = le64_to_cpu(az_req->AllocationSize);

			ksmbd_debug(SMB,

				    "request smb2 create allocate size : %llu\n",

				    alloc_size);

{

	int i, ret;

	int num_aces = 0;

	int acl_size;

	unsigned int acl_size;

	char *acl_base;

	struct smb_ace **ppace;

	struct posix_acl_entry *cf_pace, *cf_pdace;

		return;

	/* validate that we do not go past end of acl */

	if (end_of_acl <= (char *)pdacl ||

	if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) ||

	    end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {

		pr_err("ACL too small to parse DACL\n");

		return;

	 * user/group/other have no permissions

	 */

	for (i = 0; i < num_aces; ++i) {

		if (end_of_acl - acl_base < acl_size)

			break;

		ppace[i] = (struct smb_ace *)(acl_base + acl_size);

		acl_base = (char *)ppace[i];

		acl_size = offsetof(struct smb_ace, sid) +

			offsetof(struct smb_sid, sub_auth);

		if (end_of_acl - acl_base < acl_size ||

		    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||

		    (end_of_acl - acl_base <

		     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||

		    (le16_to_cpu(ppace[i]->size) <

		     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))

			break;

		acl_size = le16_to_cpu(ppace[i]->size);

		ppace[i]->access_req =

			smb_map_generic_desired_access(ppace[i]->access_req);

	if (!pntsd)

		return -EIO;

	if (acl_len < sizeof(struct smb_ntsd))

		return -EINVAL;

	owner_sid_ptr = (struct smb_sid *)((char *)pntsd +

			le32_to_cpu(pntsd->osidoffset));

	group_sid_ptr = (struct smb_sid *)((char *)pntsd +