From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1585F9446 for ; Sun, 13 Aug 2023 21:43:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93458C433C7; Sun, 13 Aug 2023 21:43:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1691963008; bh=ZYN6cahuBPqKew9p1Yh0el1Wz+A8GFm7Ylbn5Ildkgo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VNdsLbA21fJoyOABQcfg5HXYxtGD74VYcstyVd78odKAoI30bfey5UAV7048fFHkT riT+Pj/qsjMAqY2Ysoe/cKU5esw/AEXx3NgudLrXP+oBKWU7T4ehei77OHZXYx7uHS 0suz1eZ76jxXC6Q7IOG3SS/bBp826Eo+TOzslZSU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Namjae Jeon , Steve French , zdi-disclosures@trendmicro.com Subject: [PATCH 5.15 02/89] ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() Date: Sun, 13 Aug 2023 23:18:53 +0200 Message-ID: <20230813211710.859658800@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230813211710.787645394@linuxfoundation.org> References: <20230813211710.787645394@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Namjae Jeon commit 79ed288cef201f1f212dfb934bcaac75572fb8f6 upstream. There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of current smb2_ea_info. ksmbd need to validate buffer length Before accessing the next ea. ksmbd should check buffer length using buf_len, not next variable. next is the start offset of current ea that got from previous ea. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21598 Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb2pdu.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2309,9 +2309,16 @@ next: break; buf_len -= next; eabuf = (struct smb2_ea_info *)((char *)eabuf + next); - if (next < (u32)eabuf->EaNameLength + le16_to_cpu(eabuf->EaValueLength)) + if (buf_len < sizeof(struct smb2_ea_info)) { + rc = -EINVAL; break; + } + if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + + le16_to_cpu(eabuf->EaValueLength)) { + rc = -EINVAL; + break; + } } while (next != 0); kfree(attr_name);