raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 10:00:17 +00:00
Code Issues Projects Releases Wiki Activity

smb: client: validate change notify buffer before copy

Browse Source 
commit 4012abe8a7 upstream.

SMB2_change_notify called smb2_validate_iov() but ignored the return
code, then kmemdup()ed using server provided OutputBufferOffset/Length.

Check the return of smb2_validate_iov() and bail out on error.

Discovered with help from the ZeroPath security tooling.

Signed-off-by: Joshua Rogers <linux@joshua.hu>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: stable@vger.kernel.org
Fixes: e3e9463414 ("smb3: improve SMB3 change notification support")
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Joshua Rogers
2025-11-07 00:09:37 +08:00
committed by Greg Kroah-Hartman
parent a557649f00
commit 3d82cb8465
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
fs/smb/client/smb2pdu.c
View File

@@ -4074,9 +4074,12 @@ replay_again:
smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base; smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base;
smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset),
le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov, le32_to_cpu(smb_rsp->OutputBufferLength),
&rsp_iov,
sizeof(struct file_notify_information)); sizeof(struct file_notify_information));
if (rc)
goto cnotify_exit;
*out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset), *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset),
le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL); le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL);