cifs: fix integer overflow in match_server()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The echo_interval is not limited in any way during mounting,
which makes it possible to write a large number to it. This can
cause an overflow when multiplying ctx->echo_interval by HZ in
match_server().

Add constraints for echo_interval to smb3_fs_context_parse_param().

Found by Linux Verification Center (linuxtesting.org) with Svace.

Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Roman Smirnov and committed by

Steve French 1 year ago 25108594 8b175e2e

1 changed file

expand all

smb

client

fs_context.c

fs/smb/client/fs_context.c

··· 1383 1383 ctx->closetimeo = HZ * result.uint_32; 1384 1384 break; 1385 1385 case Opt_echo_interval: 1386 + if (result.uint_32 < SMB_ECHO_INTERVAL_MIN || 1387 + result.uint_32 > SMB_ECHO_INTERVAL_MAX) { 1388 + cifs_errorf(fc, "echo interval is out of bounds\n"); 1389 + goto cifs_parse_mount_err; 1390 + } 1386 1391 ctx->echo_interval = result.uint_32; 1387 1392 break; 1388 1393 case Opt_snapshot: