[PATCH 4.9 42/67] staging: ncpfs: memory corruption in ncp_read_kernel()

27 Mar 2018

4.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit 4c41aa24baa4ed338241d05494f2c595c885af8f upstream.
If the server is malicious then *bytes_read could be larger than the
size of the "target" buffer.  It would lead to memory corruption when we
do the memcpy().
Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare silvio.cesare@gmail.com
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Cc: stable stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 fs/ncpfs/ncplib_kernel.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ncpfs/ncplib_kernel.c
+++ b/fs/ncpfs/ncplib_kernel.c
@@ -980,6 +980,10 @@ ncp_read_kernel(struct ncp_server *serve
    	goto out;
    }
    *bytes_read = ncp_reply_be16(server, 0);
+	if (*bytes_read > to_read) {
+		result = -EINVAL;
+		goto out;
+	}
    source = ncp_reply_data(server, 2 + (offset & 1));
memcpy(target, source, *bytes_read);

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 4.9 42/67] staging: ncpfs: memory corruption in ncp_read_kernel()