git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 5282491fc49d5614ac6ddcd012e5743eecb6a67c Mon Sep 17 00:00:00 2001
   2 From: Namjae Jeon <linkinjeon@kernel.org>
   3 Date: Wed, 10 Sep 2025 11:22:52 +0900
   4 Subject: ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
   5
   6 From: Namjae Jeon <linkinjeon@kernel.org>
   7
   8 commit 5282491fc49d5614ac6ddcd012e5743eecb6a67c upstream.
   9
  10 If data_offset and data_length of smb_direct_data_transfer struct are
  11 invalid, out of bounds issue could happen.
  12 This patch validate data_offset and data_length field in recv_done.
  13
  14 Cc: stable@vger.kernel.org
  15 Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct")
  16 Reviewed-by: Stefan Metzmacher <metze@samba.org>
  17 Reported-by: Luigino Camastra, Aisle Research <luigino.camastra@aisle.com>
  18 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
  19 Signed-off-by: Steve French <stfrench@microsoft.com>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21 ---
  22  fs/smb/server/transport_rdma.c |   17 +++++++++--------
  23  1 file changed, 9 insertions(+), 8 deletions(-)
  24
  25 --- a/fs/smb/server/transport_rdma.c
  26 +++ b/fs/smb/server/transport_rdma.c
  27 @@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq,
  28         case SMB_DIRECT_MSG_DATA_TRANSFER: {
  29                 struct smb_direct_data_transfer *data_transfer =
  30                         (struct smb_direct_data_transfer *)recvmsg->packet;
  31 -               unsigned int data_length;
  32 +               unsigned int data_offset, data_length;
  33                 int avail_recvmsg_count, receive_credits;
  34
  35                 if (wc->byte_len <
  36 @@ -565,14 +565,15 @@ static void recv_done(struct ib_cq *cq,
  37                 }
  38
  39                 data_length = le32_to_cpu(data_transfer->data_length);
  40 -               if (data_length) {
  41 -                       if (wc->byte_len < sizeof(struct smb_direct_data_transfer) +
  42 -                           (u64)data_length) {
  43 -                               put_recvmsg(t, recvmsg);
  44 -                               smb_direct_disconnect_rdma_connection(t);
  45 -                               return;
  46 -                       }
  47 +               data_offset = le32_to_cpu(data_transfer->data_offset);
  48 +               if (wc->byte_len < data_offset ||
  49 +                   wc->byte_len < (u64)data_offset + data_length) {
  50 +                       put_recvmsg(t, recvmsg);
  51 +                       smb_direct_disconnect_rdma_connection(t);
  52 +                       return;
  53 +               }
  54
  55 +               if (data_length) {
  56                         if (t->full_packet_received)
  57                                 recvmsg->first_segment = true;
  58