ksmbd: avoid out of bounds access in decode_preauth_ctxt() (e7067a44) · Commits · EulixOS / Software / Kernel

fs/ksmbd/smb2pdu.c

+14 −9

Original line number	Diff line number	Diff line
		@@ -876,17 +876,21 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn,
		}

		static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
		struct smb2_preauth_neg_context *pneg_ctxt)
		struct smb2_preauth_neg_context *pneg_ctxt,
		int len_of_ctxts)
		{
		__le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
		/*
		* sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
		* which may not be present. Only check for used HashAlgorithms[1].
		*/
		if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
		return STATUS_INVALID_PARAMETER;

		if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) {
		conn->preauth_info->Preauth_HashId =
		SMB2_PREAUTH_INTEGRITY_SHA512;
		err = STATUS_SUCCESS;
		}
		if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)
		return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;

		return err;
		conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512;
		return STATUS_SUCCESS;
		}

		static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
		@@ -1014,7 +1018,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
		break;

		status = decode_preauth_ctxt(conn,
		(struct smb2_preauth_neg_context *)pctx);
		(struct smb2_preauth_neg_context *)pctx,
		len_of_ctxts);
		if (status != STATUS_SUCCESS)
		break;
		} else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {