Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag '6.3-rc6-ksmbd-server-fix' of git://git.samba.org/ksmbd
Pull ksmbd server fix from Steve French:
"smb311 server preauth integrity negotiate context parsing fix (check
for out of bounds access)"
* tag '6.3-rc6-ksmbd-server-fix' of git://git.samba.org/ksmbd:
ksmbd: avoid out of bounds access in decode_preauth_ctxt()
+14
-9
+14
-9
fs/ksmbd/smb2pdu.c
+14
-9
fs/ksmbd/smb2pdu.c
···
876
876
}
877
877
878
878
static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
879
-
struct smb2_preauth_neg_context *pneg_ctxt)
879
+
struct smb2_preauth_neg_context *pneg_ctxt,
880
+
int len_of_ctxts)
880
881
{
881
-
__le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
882
+
/*
883
+
* sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
884
+
* which may not be present. Only check for used HashAlgorithms[1].
885
+
*/
886
+
if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
887
+
return STATUS_INVALID_PARAMETER;
882
888
883
-
if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) {
884
-
conn->preauth_info->Preauth_HashId =
885
-
SMB2_PREAUTH_INTEGRITY_SHA512;
886
-
err = STATUS_SUCCESS;
887
-
}
889
+
if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)
890
+
return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
888
891
889
-
return err;
892
+
conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512;
893
+
return STATUS_SUCCESS;
890
894
}
891
895
892
896
static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
···
1018
1014
break;
1019
1015
1020
1016
status = decode_preauth_ctxt(conn,
1021
-
(struct smb2_preauth_neg_context *)pctx);
1017
+
(struct smb2_preauth_neg_context *)pctx,
1018
+
len_of_ctxts);
1022
1019
if (status != STATUS_SUCCESS)
1023
1020
break;
1024
1021
} else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {