ksmbd: add bounds check for durable handle context

Add missing bounds check for durable handle context.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index c53121538990ecaaa3867c670085ca09f8da1a97..7717d81d3f9bebc4543993f281e24fe79bb9a889 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2708,6 +2708,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                goto out;
                        }
 
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_reconn_v2_req)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                        recon_v2 = (struct create_durable_reconn_v2_req *)context;
                        persistent_id = recon_v2->Fid.PersistentFileId;
                        dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
@@ -2741,6 +2748,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                goto out;
                        }
 
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_reconn_req)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                        recon = (struct create_durable_reconn_req *)context;
                        persistent_id = recon->Data.Fid.PersistentFileId;
                        dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
@@ -2766,6 +2780,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                goto out;
                        }
 
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_req_v2)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                        durable_v2_blob =
                                (struct create_durable_req_v2 *)context;
                        ksmbd_debug(SMB, "Request for durable v2 open\n");