smb: client: validate change notify buffer before copy

SMB2_change_notify called smb2_validate_iov() but ignored the return
code, then kmemdup()ed using server provided OutputBufferOffset/Length.

Check the return of smb2_validate_iov() and bail out on error.

Discovered with help from the ZeroPath security tooling.

Signed-off-by: Joshua Rogers <linux@joshua.hu>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: stable@vger.kernel.org
Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support")
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index b0739a2661bf95193f73aa14dfcc78bead113623..8b4a4573e9c372478af9b2c10525e0656f53a1b9 100644 (file)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4054,9 +4054,12 @@ replay_again:
 
                smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base;
 
-               smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset),
-                               le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov,
+               rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset),
+                               le32_to_cpu(smb_rsp->OutputBufferLength),
+                               &rsp_iov,
                                sizeof(struct file_notify_information));
+               if (rc)
+                       goto cnotify_exit;
 
                *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset),
                                le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL);