ksmbd: fix invalid request buffer access in compound

author Namjae Jeon <linkinjeon@kernel.org>

Fri, 24 Sep 2021 00:24:08 +0000 (09:24 +0900)

committer Steve French <stfrench@microsoft.com>

Sun, 26 Sep 2021 21:47:14 +0000 (16:47 -0500)
author Namjae Jeon <linkinjeon@kernel.org>
Fri, 24 Sep 2021 00:24:08 +0000 (09:24 +0900)
committer Steve French <stfrench@microsoft.com>
Sun, 26 Sep 2021 21:47:14 +0000 (16:47 -0500)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c

index 761e12171dc4418fb2594bea381fc2a93df57f69..cea376b2dd8f2d81f7369c0da8167fbac51cb0be 100644 (file)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
  bool is_chained_smb2_message(struct ksmbd_work *work)
  {
         struct smb2_hdr *hdr = work->request_buf;
-       unsigned int len;
+       unsigned int len, next_cmd;
  
         if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
                 return false;
  
         hdr = ksmbd_req_buf_next(work);
-       if (le32_to_cpu(hdr->NextCommand) > 0) {
+       next_cmd = le32_to_cpu(hdr->NextCommand);
+       if (next_cmd > 0) {
+               if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +
+                       __SMB2_HEADER_STRUCTURE_SIZE >
+                   get_rfc1002_len(work->request_buf)) {
+                       pr_err("next command(%u) offset exceeds smb msg size\n",
+                              next_cmd);
+                       return false;
+               }
+
                 ksmbd_debug(SMB, "got SMB2 chained command\n");
                 init_chained_smb2_rsp(work);
                 return true;
author	Namjae Jeon <linkinjeon@kernel.org>
	Fri, 24 Sep 2021 00:24:08 +0000 (09:24 +0900)
committer	Steve French <stfrench@microsoft.com>
	Sun, 26 Sep 2021 21:47:14 +0000 (16:47 -0500)