Unverified Commit ef9b72ca authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14829 ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yongjian Sun <sunyongjian1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/QHU42PJNGYKFGAMVRGD3MHCYNPKWUQZG/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBEAP7 
 
Link:https://gitee.com/openeuler/kernel/pulls/14829

 

Reviewed-by: default avatarLi Nan <linan122@huawei.com>
Signed-off-by: default avatarLi Nan <linan122@huawei.com>
parents 0880d9db 057fdc02

fs/ksmbd/smb2pdu.c

+5 −3
Original line number Diff line number Diff line
@@ -6535,6 +6535,11 @@ int smb2_write(struct ksmbd_work *work) 
		return smb2_write_pipe(work);

	}



	offset = le64_to_cpu(req->Offset);

	if (offset < 0)

		return -EINVAL;

	length = le32_to_cpu(req->Length);



	if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||

	    req->Channel == SMB2_CHANNEL_RDMA_V1_INVALIDATE) {

		unsigned int ch_offset = le16_to_cpu(req->WriteChannelInfoOffset);
@@ -6573,9 +6578,6 @@ int smb2_write(struct ksmbd_work *work) 
		goto out;

	}



	offset = le64_to_cpu(req->Offset);

	length = le32_to_cpu(req->Length);



	if (length > work->conn->vals->max_write_size) {

		ksmbd_debug(SMB, "limiting write size to max size(%u)\n",

			    work->conn->vals->max_write_size);