cifs: integer overflow in in SMB2_ioctl()
The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.
Fixes: 4a72dafa19
("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>
This commit is contained in:
parent
56446f218a
commit
2d204ee9d6
|
@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
|
|||
/* We check for obvious errors in the output buffer length and offset */
|
||||
if (*plen == 0)
|
||||
goto ioctl_exit; /* server returned no data */
|
||||
else if (*plen > 0xFF00) {
|
||||
else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
|
||||
cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
|
||||
*plen = 0;
|
||||
rc = -EIO;
|
||||
goto ioctl_exit;
|
||||
}
|
||||
|
||||
if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
|
||||
if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
|
||||
cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
|
||||
le32_to_cpu(rsp->OutputOffset));
|
||||
*plen = 0;
|
||||
|
|
Loading…
Reference in New Issue
Block a user