Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag '6.7rc7-smb3-srv-fix' of git://git.samba.org/ksmbd
Pull ksmbd server fix from Steve French:
- address possible slab out of bounds in parsing of open requests
* tag '6.7rc7-smb3-srv-fix' of git://git.samba.org/ksmbd:
ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
+12
-3
+12
-3
fs/smb/server/smb2misc.c
+12
-3
fs/smb/server/smb2misc.c
···
106
106
break;
107
107
case SMB2_CREATE:
108
108
{
109
+
unsigned short int name_off =
110
+
le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
111
+
unsigned short int name_len =
112
+
le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
113
+
109
114
if (((struct smb2_create_req *)hdr)->CreateContextsLength) {
110
115
*off = le32_to_cpu(((struct smb2_create_req *)
111
116
hdr)->CreateContextsOffset);
112
117
*len = le32_to_cpu(((struct smb2_create_req *)
113
118
hdr)->CreateContextsLength);
114
-
break;
119
+
if (!name_len)
120
+
break;
121
+
122
+
if (name_off + name_len < (u64)*off + *len)
123
+
break;
115
124
}
116
125
117
-
*off = le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
118
-
*len = le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
126
+
*off = name_off;
127
+
*len = name_len;
119
128
break;
120
129
}
121
130
case SMB2_QUERY_INFO: