From e7c9d42b0ada4d3a3a7b2c78a8b1d695f118f092 Mon Sep 17 00:00:00 2001 From: Yang Xiongwei Date: Mon, 17 Jun 2024 10:29:05 +0800 Subject: [PATCH] ksmbd: validate request buffer size in smb2_allocate_rsp_buf() mainline inclusion from mainline-v6.9-rc4 commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI CVE: CVE-2024-26936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=17cf0c2794bdb6f39671265aa18aea5c22ee8c4a -------------------------------- The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon Signed-off-by: Steve French Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: Long Li --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4df7108a886f..7937f860ea8f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; + if (get_rfc1002_len(work->request_buf) < + offsetof(struct smb2_query_info_req, OutputBufferLength)) + return -EINVAL; + req = smb2_get_msg(work->request_buf); if ((req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -- Gitee