leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cifs: prevent copying past input buffer boundaries

Browse Source 
Prevent copying past @data buffer in smb2_validate_and_copy_iov() as
the output buffer in @iov might be potentially bigger and thus copying
more bytes than requested in @minbufsize.

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
Paulo Alcantara 2022-10-06 13:04:05 -03:00 committed by Steve French
parent 69ccafdd35
commit 9ee2afe520
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fs/cifs/smb2pdu.c
View File

@ -3485,7 +3485,7 @@ smb2_validate_and_copy_iov(unsigned int offset, unsigned int buffer_length,
if (rc) if (rc)
return rc; return rc;
memcpy(data, begin_of_buf, buffer_length); memcpy(data, begin_of_buf, minbufsize);
return 0; return 0;
} }
@ -3609,7 +3609,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset), rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
le32_to_cpu(rsp->OutputBufferLength), le32_to_cpu(rsp->OutputBufferLength),
&rsp_iov, min_len, *data); &rsp_iov, dlen ? *dlen : min_len, *data);
if (rc && allocated) { if (rc && allocated) {
kfree(*data); kfree(*data);
*data = NULL; *data = NULL;