--- /dev/null
+From 9ee2afe5207b63b20426ee081f486d831bae871d Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Thu, 6 Oct 2022 13:04:05 -0300
+Subject: cifs: prevent copying past input buffer boundaries
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 9ee2afe5207b63b20426ee081f486d831bae871d upstream.
+
+Prevent copying past @data buffer in smb2_validate_and_copy_iov() as
+the output buffer in @iov might be potentially bigger and thus copying
+more bytes than requested in @minbufsize.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Cc: Georg Müller <georgmueller@gmx.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3331,7 +3331,7 @@ smb2_validate_and_copy_iov(unsigned int
+ if (rc)
+ return rc;
+
+- memcpy(data, begin_of_buf, buffer_length);
++ memcpy(data, begin_of_buf, minbufsize);
+
+ return 0;
+ }
+@@ -3455,7 +3455,7 @@ query_info(const unsigned int xid, struc
+
+ rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
+ le32_to_cpu(rsp->OutputBufferLength),
+- &rsp_iov, min_len, *data);
++ &rsp_iov, dlen ? *dlen : min_len, *data);
+ if (rc && allocated) {
+ kfree(*data);
+ *data = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
