git.baikalelectronics.ru Git - kernel.git/commit

author	William Liu <will@willsroot.io>
	Fri, 30 Dec 2022 04:03:15 +0000 (13:03 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 12 Jan 2023 11:02:57 +0000 (12:02 +0100)
commit	0ff49f15518c15be9f44b9d3c659b5ada1366c3c
tree	b55546a2ba5d630574028687127fac7b881f1bb2	tree \| snapshot
parent	abf052fd39ce96e1fde0dbb304078ebada3e1339	commit \| diff

ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob

commit 812cfa5817a635c74e17656262cabb217cc621df upstream.

"nt_len - CIFS_ENCPWD_SIZE" is passed directly from
ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests
can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative
number (or large unsigned value) used for a subsequent memcpy in
ksmbd_auth_ntlvm2 and can cause a panic.

Fixes: c4a98f110ba0 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: William Liu <will@willsroot.io>
Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>