Skip to content

Commit 9e4937c

Browse files
namjaejeongregkh
authored andcommitted
ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
[ Upstream commit d10c778 ] If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, ksmbd_check_message doesn't validate request buffer it correctly. So slab-out-of-bounds warning from calling smb_strndup_from_utf16() in smb2_open() could happen. If ->NameLength is non-zero, Set the larger of the two sums (Name and CreateContext size) as the offset and length of the data area. Reported-by: Yang Chaoming <lometsj@live.com> Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
1 parent 74dc3e5 commit 9e4937c

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

fs/smb/server/smb2misc.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,10 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
107107
case SMB2_CREATE:
108108
{
109109
unsigned short int name_off =
110-
le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
110+
max_t(unsigned short int,
111+
le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset),
112+
offsetof(struct smb2_create_req, Buffer));
113+
111114
unsigned short int name_len =
112115
le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
113116

0 commit comments

Comments
 (0)