Commit 9a63b999 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: fix potencial 32bit overflow from data area check in smb2_write 



DataOffset and Length validation can be potencial 32bit overflow.
This patch fix it.

Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent bf8acc9e

fs/ksmbd/smb2pdu.c

+2 −4
Original line number Diff line number Diff line
@@ -6197,8 +6197,7 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work) 
	    (offsetof(struct smb2_write_req, Buffer) - 4)) {

		data_buf = (char *)&req->Buffer[0];

	} else {

		if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) ||

		    (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) {

		if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {

			pr_err("invalid write data offset %u, smb_len %u\n",

			       le16_to_cpu(req->DataOffset),

			       get_rfc1002_len(req));
@@ -6356,8 +6355,7 @@ int smb2_write(struct ksmbd_work *work) 
		    (offsetof(struct smb2_write_req, Buffer) - 4)) {

			data_buf = (char *)&req->Buffer[0];

		} else {

			if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) ||

			    (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) {

			if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {

				pr_err("invalid write data offset %u, smb_len %u\n",

				       le16_to_cpu(req->DataOffset),

				       get_rfc1002_len(req));