From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Steve French <smfrench@gmail.com>,
Steve French <stfrench@microsoft.com>,
Namjae Jeon <linkinjeon@kernel.org>
Subject: [PATCH 5.16 4/5] ksmbd: fix SMB 3.11 posix extension mount failure
Date: Wed, 9 Feb 2022 20:14:36 +0100 [thread overview]
Message-ID: <20220209191250.048258338@linuxfoundation.org> (raw)
In-Reply-To: <20220209191249.887150036@linuxfoundation.org>
From: Namjae Jeon <linkinjeon@kernel.org>
commit 9ca8581e79e51c57e60b3b8e3b89d816448f49fe upstream.
cifs client set 4 to DataLength of create_posix context, which mean
Mode variable of create_posix context is only available. So buffer
validation of ksmbd should check only the size of Mode except for
the size of Reserved variable.
Fixes: 8f77150c15f8 ("ksmbd: add buffer validation for SMB2_CREATE_CONTEXT")
Cc: stable@vger.kernel.org # v5.15+
Reported-by: Steve French <smfrench@gmail.com>
Tested-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -2688,7 +2688,7 @@ int smb2_open(struct ksmbd_work *work)
(struct create_posix *)context;
if (le16_to_cpu(context->DataOffset) +
le32_to_cpu(context->DataLength) <
- sizeof(struct create_posix)) {
+ sizeof(struct create_posix) - 4) {
rc = -EINVAL;
goto err_out1;
}
next prev parent reply other threads:[~2022-02-09 19:29 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 19:14 [PATCH 5.16 0/5] 5.16.9-rc1 review Greg Kroah-Hartman
2022-02-09 19:14 ` [PATCH 5.16 1/5] ata: libata-core: Fix ata_dev_config_cpr() Greg Kroah-Hartman
2022-02-09 19:14 ` [PATCH 5.16 2/5] moxart: fix potential use-after-free on remove path Greg Kroah-Hartman
2022-02-09 19:14 ` [PATCH 5.16 3/5] KVM: s390: Return error on SIDA memop on normal guest Greg Kroah-Hartman
2022-02-09 19:14 ` Greg Kroah-Hartman [this message]
2022-02-09 19:14 ` [PATCH 5.16 5/5] crypto: api - Move cryptomgr soft dependency into algapi Greg Kroah-Hartman
2022-02-09 22:48 ` [PATCH 5.16 0/5] 5.16.9-rc1 review Fox Chen
2022-02-10 0:57 ` Shuah Khan
2022-02-10 8:34 ` Jon Hunter
2022-02-10 10:56 ` Naresh Kamboju
2022-02-10 12:17 ` Scott Bruce
2022-02-10 14:44 ` Jeffrin Thalakkottoor
2022-02-10 15:54 ` Ron Economos
2022-02-10 18:49 ` Florian Fainelli
2022-02-10 21:02 ` Guenter Roeck
2022-02-11 6:13 ` Slade Watkins
2022-02-11 7:39 ` Bagas Sanjaya
2022-02-11 8:17 ` Rudi Heitbaum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220209191250.048258338@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.