From 2872138fe04d64dd77068a5d99ff04f757a6f999 Mon Sep 17 00:00:00 2001
From: Chih-Yen Chang <cc85nod@gmail.com>
Date: Thu, 27 Jul 2023 16:14:44 +0800
Subject: [PATCH] ksmbd: allocate one more byte for implied bcc[0]

mainline inclusion
from mainline-v6.4-rc3
commit 443d61d1fa9faa60ef925513d83742902390100f
category: bugfix
bugzilla: 189030, https://gitee.com/openeuler/kernel/issues/I7LU2I
CVE: CVE-2023-38429

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=443d61d1fa9faa60ef925513d83742902390100f

----------------------------------------

ksmbd_smb2_check_message allows client to return one byte more, so we
need to allocate additional memory in ksmbd_conn_handler_loop to avoid
out-of-bound access.

Cc: stable@vger.kernel.org
Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

Conflict:
	fs/ksmbd/connection.c

Signed-off-by: Li Nan <linan122@huawei.com>
(cherry picked from commit ff45e8b337da0ee38c2f28ca9b8251c4daf06f54)
---
 fs/ksmbd/connection.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
index 8e15ec9e8f43..9c4ca0bbd71e 100644
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -309,7 +309,8 @@ int ksmbd_conn_handler_loop(void *p)
 		}
 
 		/* 4 for rfc1002 length field */
-		size = pdu_size + 4;
+		/* 1 for implied bcc[0] */
+		size = pdu_size + 4 + 1;
 		conn->request_buf = kvmalloc(size, GFP_KERNEL);
 		if (!conn->request_buf)
 			continue;
-- 
Gitee