ksmbd: avoid out of bounds access in decode_preauth_ctxt() (e7067a44) · Commits · Mirrors / github.com / raspberrypi_linux · GitLab

Commit e7067a44 authored Apr 13, 2023 by

David Disseldorp Committed by Steve French Apr 13, 2023

ksmbd: avoid out of bounds access in decode_preauth_ctxt()



Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within
the SMB request boundary; deassemble_neg_contexts() only checks that the
eight byte smb2_neg_context header + (client controlled) DataLength are
within the packet boundary, which is insufficient.

Checking for sizeof(struct smb2_preauth_neg_context) is overkill given
that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt.

Signed-off-by: David Disseldorp <ddiss@suse.de>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 09a9639e

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit a2f6ded4
· Apr 25, 2023

mentioned in commit a2f6ded4

mentioned in commit a2f6ded41bec1d3be643c80a5eb97f1680309001

Toggle commit list

Please register or to comment