This is a note to let you know that I've just added the patch titled

staging: ncpfs: memory corruption in ncp_read_kernel()

to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-linus branch.

The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.)

The patch will hopefully also be merged in Linus's tree for the next -rc kernel release.

If you have any questions about this process, please let me know.

From 4c41aa24baa4ed338241d05494f2c595c885af8f Mon Sep 17 00:00:00 2001

From: Dan Carpenter dan.carpenter@oracle.com Date: Mon, 19 Mar 2018 14:07:45 +0300 Subject: staging: ncpfs: memory corruption in ncp_read_kernel()

If the server is malicious then *bytes_read could be larger than the size of the "target" buffer. It would lead to memory corruption when we do the memcpy().

Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare silvio.cesare@gmail.com Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/staging/ncpfs/ncplib_kernel.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/drivers/staging/ncpfs/ncplib_kernel.c b/drivers/staging/ncpfs/ncplib_kernel.c index 804adfebba2f..3e047eb4cc7c 100644 --- a/drivers/staging/ncpfs/ncplib_kernel.c +++ b/drivers/staging/ncpfs/ncplib_kernel.c @@ -981,6 +981,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, goto out; } *bytes_read = ncp_reply_be16(server, 0); + if (*bytes_read > to_read) { + result = -EINVAL; + goto out; + } source = ncp_reply_data(server, 2 + (offset & 1));

memcpy(target, source, *bytes_read);