[PATCH 6.5 03/34] ksmbd: fix wrong DataOffset validation of create context

4 Sep 2023

6.5-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Namjae Jeon linkinjeon@kernel.org
commit 17d5b135bb720832364e8f55f6a887a3c7ec8fdb upstream.
If ->DataOffset of create context is 0, DataBuffer size is not correctly
validated. This patch change wrong validation code and consider tag
length in request.
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21824
Signed-off-by: Namjae Jeon linkinjeon@kernel.org
Signed-off-by: Steve French stfrench@microsoft.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 fs/smb/server/oplock.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1492,7 +1492,7 @@ struct create_context *smb2_find_context
    	    name_len < 4 ||
    	    name_off + name_len > cc_len ||
    	    (value_off & 0x7) != 0 ||
-		    (value_off && (value_off < name_off + name_len)) ||
+		    (value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) ||
    	    ((u64)value_off + value_len > cc_len))
    		return ERR_PTR(-EINVAL);

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.5 03/34] ksmbd: fix wrong DataOffset validation of create context