ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
mainline inclusion from mainline-v6.7-rc8 commit d10c77873ba1e9e6b91905018e29e196fd5f863d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YD63 CVE: CVE-2024-22705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d10c77873ba1e9e6b91905018e29e196fd5f863d -------------------------------- If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, ksmbd_check_message doesn't validate request buffer it correctly. So slab-out-of-bounds warning from calling smb_strndup_from_utf16() in smb2_open() could happen. If ->NameLength is non-zero, Set the larger of the two sums (Name and CreateContext size) as the offset and length of the data area. Reported-by:Yang Chaoming <lometsj@live.com> Cc: stable@vger.kernel.org Signed-off-by:
Loading
Please sign in to comment