forked from Minki/linux
ksmbd: fix potencial 32bit overflow from data area check in smb2_write
DataOffset and Length validation can be potencial 32bit overflow. This patch fix it. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
bf8acc9e10
commit
9a63b999ae
@ -6197,8 +6197,7 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work)
|
||||
(offsetof(struct smb2_write_req, Buffer) - 4)) {
|
||||
data_buf = (char *)&req->Buffer[0];
|
||||
} else {
|
||||
if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) ||
|
||||
(le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) {
|
||||
if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {
|
||||
pr_err("invalid write data offset %u, smb_len %u\n",
|
||||
le16_to_cpu(req->DataOffset),
|
||||
get_rfc1002_len(req));
|
||||
@ -6356,8 +6355,7 @@ int smb2_write(struct ksmbd_work *work)
|
||||
(offsetof(struct smb2_write_req, Buffer) - 4)) {
|
||||
data_buf = (char *)&req->Buffer[0];
|
||||
} else {
|
||||
if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) ||
|
||||
(le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) {
|
||||
if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {
|
||||
pr_err("invalid write data offset %u, smb_len %u\n",
|
||||
le16_to_cpu(req->DataOffset),
|
||||
get_rfc1002_len(req));
|
||||
|
Loading…
Reference in New Issue
Block a user