tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class

Validate_buf () function checks for an expected minimum sized response
passed to query_info() function.
For security information, the size of a security descriptor can be
smaller (one subauthority, no ACEs) than the size of the structure
that defines FileInfoClass of FileAllInformation.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199725
Cc: <stable@vger.kernel.org>
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: Noah Morrison <noah.morrison@rubrik.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Shirish Pargaonkar and committed by
Steve French ee25c6dd 57f933ce

+15 -2
+14
fs/cifs/cifsacl.h
··· 98 98 struct cifs_sid sid; /* ie UUID of user or group who gets these perms */ 99 99 } __attribute__((packed)); 100 100 101 + /* 102 + * Minimum security identifier can be one for system defined Users 103 + * and Groups such as NULL SID and World or Built-in accounts such 104 + * as Administrator and Guest and consists of 105 + * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority) 106 + */ 107 + #define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */ 108 + 109 + /* 110 + * Minimum security descriptor can be one without any SACL and DACL and can 111 + * consist of revision, type, and two sids of minimum size for owner and group 112 + */ 113 + #define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN)) 114 + 101 115 #endif /* _CIFSACL_H */
+1 -2
fs/cifs/smb2pdu.c
··· 2492 2492 2493 2493 return query_info(xid, tcon, persistent_fid, volatile_fid, 2494 2494 0, SMB2_O_INFO_SECURITY, additional_info, 2495 - SMB2_MAX_BUFFER_SIZE, 2496 - sizeof(struct smb2_file_all_info), data, plen); 2495 + SMB2_MAX_BUFFER_SIZE, MIN_SEC_DESC_LEN, data, plen); 2497 2496 } 2498 2497 2499 2498 int