Commit b5e5f9df authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: check invalid FileOffset and BeyondFinalZero in FSCTL_ZERO_DATA 



FileOffset should not be greater than BeyondFinalZero in FSCTL_ZERO_DATA.
And don't call ksmbd_vfs_zero_data() if length is zero.

Cc: stable@vger.kernel.org
Reviewed-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 18e39fb9

fs/ksmbd/smb2pdu.c

+17 −10
Original line number Diff line number Diff line
@@ -7700,7 +7700,7 @@ int smb2_ioctl(struct ksmbd_work *work) 
	{

		struct file_zero_data_information *zero_data;

		struct ksmbd_file *fp;

		loff_t off, len;

		loff_t off, len, bfz;



		if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {

			ksmbd_debug(SMB,
@@ -7717,19 +7717,26 @@ int smb2_ioctl(struct ksmbd_work *work) 
		zero_data =

			(struct file_zero_data_information *)&req->Buffer[0];



		off = le64_to_cpu(zero_data->FileOffset);

		bfz = le64_to_cpu(zero_data->BeyondFinalZero);

		if (off > bfz) {

			ret = -EINVAL;

			goto out;

		}



		len = bfz - off;

		if (len) {

			fp = ksmbd_lookup_fd_fast(work, id);

			if (!fp) {

				ret = -ENOENT;

				goto out;

			}



		off = le64_to_cpu(zero_data->FileOffset);

		len = le64_to_cpu(zero_data->BeyondFinalZero) - off;



			ret = ksmbd_vfs_zero_data(work, fp, off, len);

			ksmbd_fd_put(work, fp);

			if (ret < 0)

				goto out;

		}

		break;

	}

	case FSCTL_QUERY_ALLOCATED_RANGES: