From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gregkh@linuxfoundation.org>
X-Google-Smtp-Source: AIpwx4+eojB8f7XuZpI43wTqOGaN5QMMq7V+h5xLzt4THCuJc3kYPHal31Z357lH+G0unMgcG5Xz
ARC-Seal: i=1; a=rsa-sha256; t=1523021197; cv=none;
        d=google.com; s=arc-20160816;
        b=L6pXRI04hAfr49cX+SFOkOf8jm1U3hIfmCKy+v6VHahjMblCIPY1kCquiCo1X2Dp3q
         s/+Pr2th7kKbZN87/6AVfJH6XoaDct7fd6n6d/VAiQF73zIV1Yb20+pnQKaxYotMyx30
         l7eolzkB0s3jAFrHW5uP/AewcZyaxFyGrksKi7fpb/mL8ubDD8QUAwTGY2qe5ce6OHB6
         tQHTu1KnKD9HLwuRkIjS/0RznF2bbtnQWR8Oi1LzEy/sKdOWy9AJle20Je8bM5bHxCob
         ElNH6q5hlZ/0224hAa70qGhLqe2bLux/IPl+Io7H3G70xd+HfecFMtCCn+RLSPUh083l
         p8Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:user-agent:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=LcziP4loUiQ5TtWvINtRx3IFYrXloeJQa34G4ZXzq2o=;
        b=ouUPpRhQEnLCWIFZhrvq39se0JFrywf9kCRv18bPonsEFARbU0ZtBBq/O5ctou66Ha
         cRautLCWZcHz9T11vGhx5z8m1SM6tcDL7gpl3NiNlsh1LnWPkCfS8ZXnB+HLXcgsojmm
         9/G0D5l/xpqrNKaoW6oSlbjRNPYo4Fw4GccG/R6L/Cl+D3JZb6nKG/VBqfcLx4On0Nqo
         hvj5STfk8H2cVZ0dvmx1YV+MloQNYi648FXDCq3lkQDM5Lv5cycqGkgf78MKeQ6aXloh
         lf8r8ZzsVjtHCWyG2HZAKeaN35/WbRNNxlxNKVubaGulOx1Tz9gWSKFFG4ug1FfCdg3D
         7W7w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.61.202 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.61.202 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH 3.18 15/93] staging: ncpfs: memory corruption in ncp_read_kernel()
Date: Fri,  6 Apr 2018 15:22:44 +0200
Message-Id: <20180406084225.635122495@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180406084224.918716300@linuxfoundation.org>
References: <20180406084224.918716300@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?=
X-GMAIL-THRID: =?utf-8?q?1597003475326675199?=
X-GMAIL-MSGID: =?utf-8?q?1597003475326675199?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4c41aa24baa4ed338241d05494f2c595c885af8f upstream.

If the server is malicious then *bytes_read could be larger than the
size of the "target" buffer.  It would lead to memory corruption when we
do the memcpy().

Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ncpfs/ncplib_kernel.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ncpfs/ncplib_kernel.c
+++ b/fs/ncpfs/ncplib_kernel.c
@@ -980,6 +980,10 @@ ncp_read_kernel(struct ncp_server *serve
 		goto out;
 	}
 	*bytes_read = ncp_reply_be16(server, 0);
+	if (*bytes_read > to_read) {
+		result = -EINVAL;
+		goto out;
+	}
 	source = ncp_reply_data(server, 2 + (offset & 1));
 
 	memcpy(target, source, *bytes_read);