tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ksmbd: validate EaNameLength in smb2_get_ea()

smb2_get_ea() reads ea_req->EaNameLength from the client request and
passes it directly to strncmp() as the comparison length without
verifying that the length of the name really is the size of the input
buffer received.

Fix this up by properly checking the size of the name based on the value
received and the overall size of the request, to prevent a later
strncmp() call to use the length as a "trusted" size of the buffer.
Without this check, uninitialized heap values might be slowly leaked to
the client.

Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Greg Kroah-Hartman and committed by
Steve French 66751841 1c137636

+5
+5
fs/smb/server/smb2pdu.c
··· 4717 4717 4718 4718 ea_req = (struct smb2_ea_info_req *)((char *)req + 4719 4719 le16_to_cpu(req->InputBufferOffset)); 4720 + 4721 + if (le32_to_cpu(req->InputBufferLength) < 4722 + offsetof(struct smb2_ea_info_req, name) + 4723 + ea_req->EaNameLength) 4724 + return -EINVAL; 4720 4725 } else { 4721 4726 /* need to send all EAs, if no specific EA is requested*/ 4722 4727 if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY)