[patch] cifs: check offset in decode_ntlmssp

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31  8:52 Dan Carpenter
  2012-01-31 10:49 ` Jeff Layton
  2012-01-31 13:43 ` Steve French
  0 siblings, 2 replies; 5+ messages in thread
From: Dan Carpenter @ 2012-01-31  8:52 UTC (permalink / raw)
  To: Steve French
  Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
	kernel-janitors-u79uwXL29TY76Z2rM5mHXA

We should check that we're not copying memory from beyond the end of the
blob.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index d85efad..eb76741 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
 	ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
 	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
 	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
+	if (tioffset > blob_len || tioffset + tilen > blob_len) {
+		cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
+		return -EINVAL;
+	}
 	if (tilen) {
 		ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
 		if (!ses->auth_key.response) {

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
  2012-01-31  8:52 [patch] cifs: check offset in decode_ntlmssp_challenge() Dan Carpenter
@ 2012-01-31 10:49 ` Jeff Layton
  2012-01-31 11:25   ` Dan Carpenter
  2012-01-31 13:43 ` Steve French
  1 sibling, 1 reply; 5+ messages in thread
From: Jeff Layton @ 2012-01-31 10:49 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical

On Tue, 31 Jan 2012 11:52:01 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> We should check that we're not copying memory from beyond the end of the
> blob.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
>  	ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
>  	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
>  	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> +	if (tioffset > blob_len || tioffset + tilen > blob_len) {
> +		cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> +		return -EINVAL;
> +	}

Good catch.

Do we really need a || here though? Would it not be sufficient to check
if tioffset + tilen > blob_len? Or are you concerned about that value
wrapping?

>  	if (tilen) {
>  		ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
>  		if (!ses->auth_key.response) {
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Jeff Layton <jlayton@redhat.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
  2012-01-31 10:49 ` Jeff Layton
@ 2012-01-31 11:25   ` Dan Carpenter
  2012-01-31 11:50     ` Jeff Layton
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2012-01-31 11:25 UTC (permalink / raw)
  To: Jeff Layton; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical

[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]

On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> On Tue, 31 Jan 2012 11:52:01 +0300
> Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> > We should check that we're not copying memory from beyond the end of the
> > blob.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > index d85efad..eb76741 100644
> > --- a/fs/cifs/sess.c
> > +++ b/fs/cifs/sess.c
> > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> >  	ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> >  	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> >  	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > +	if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > +		cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > +		return -EINVAL;
> > +	}
> 
> Good catch.
> 
> Do we really need a || here though? Would it not be sufficient to check
> if tioffset + tilen > blob_len? Or are you concerned about that value
> wrapping?

Yep.  I was concerned about value wrapping.

regards,
dan carpenter


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
  2012-01-31 11:25   ` Dan Carpenter
@ 2012-01-31 11:50     ` Jeff Layton
  0 siblings, 0 replies; 5+ messages in thread
From: Jeff Layton @ 2012-01-31 11:50 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
	kernel-janitors-u79uwXL29TY76Z2rM5mHXA

[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]

On Tue, 31 Jan 2012 14:25:08 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> > On Tue, 31 Jan 2012 11:52:01 +0300
> > Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > 
> > > We should check that we're not copying memory from beyond the end of the
> > > blob.
> > > 
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > 
> > > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > > index d85efad..eb76741 100644
> > > --- a/fs/cifs/sess.c
> > > +++ b/fs/cifs/sess.c
> > > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > >  	ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > >  	tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > >  	tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > > +	if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > > +		cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > > +		return -EINVAL;
> > > +	}
> > 
> > Good catch.
> > 
> > Do we really need a || here though? Would it not be sufficient to check
> > if tioffset + tilen > blob_len? Or are you concerned about that value
> > wrapping?
> 
> Yep.  I was concerned about value wrapping.
> 
> regards,
> dan carpenter
> 

Seems reasonable then. Thanks...

Reviewed-by: Jeff Layton <jlayton@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
  2012-01-31  8:52 [patch] cifs: check offset in decode_ntlmssp_challenge() Dan Carpenter
  2012-01-31 10:49 ` Jeff Layton
@ 2012-01-31 13:43 ` Steve French
  1 sibling, 0 replies; 5+ messages in thread
From: Steve French @ 2012-01-31 13:43 UTC (permalink / raw)
  Cc: linux-cifs, kernel-janitors, samba-technical

merged to cifs-2.6.git

On Tue, Jan 31, 2012 at 2:52 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> We should check that we're not copying memory from beyond the end of the
> blob.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
>        ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
>        tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
>        tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> +       if (tioffset > blob_len || tioffset + tilen > blob_len) {
> +               cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> +               return -EINVAL;
> +       }
>        if (tilen) {
>                ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
>                if (!ses->auth_key.response) {




--
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-01-31 13:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-31  8:52 [patch] cifs: check offset in decode_ntlmssp_challenge() Dan Carpenter
2012-01-31 10:49 ` Jeff Layton
2012-01-31 11:25   ` Dan Carpenter
2012-01-31 11:50     ` Jeff Layton
2012-01-31 13:43 ` Steve French

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox