tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

smb: client: validate change notify buffer before copy

SMB2_change_notify called smb2_validate_iov() but ignored the return
code, then kmemdup()ed using server provided OutputBufferOffset/Length.

Check the return of smb2_validate_iov() and bail out on error.

Discovered with help from the ZeroPath security tooling.

Signed-off-by: Joshua Rogers <linux@joshua.hu>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: stable@vger.kernel.org
Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support")
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Joshua Rogers and committed by
Steve French 4012abe8 b540de9e

+5 -2
+5 -2
fs/smb/client/smb2pdu.c
··· 4054 4054 4055 4055 smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base; 4056 4056 4057 - smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), 4058 - le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov, 4057 + rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), 4058 + le32_to_cpu(smb_rsp->OutputBufferLength), 4059 + &rsp_iov, 4059 4060 sizeof(struct file_notify_information)); 4061 + if (rc) 4062 + goto cnotify_exit; 4060 4063 4061 4064 *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset), 4062 4065 le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL);