ksmbd: Fix buffer length check in fsctl_validate_negotiate_info()

The validate_negotiate_info_req struct definition includes an extra
field to access the data coming after the header. This causes the check
in fsctl_validate_negotiate_info() to count the first element of the
array twice. This in turn makes some valid requests fail, depending on
whether they include padding or not.

Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl")
Cc: stable@vger.kernel.org # v5.15
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Acked-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index eb23c44c1c85e4cca85390889eb6dd165985ce6e..a925e0f67fb8fee3adae74523bc2bb7bc250ae16 100644 (file)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7313,7 +7313,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn,
        int ret = 0;
        int dialect;
 
-       if (in_buf_len < sizeof(struct validate_negotiate_info_req) +
+       if (in_buf_len < offsetof(struct validate_negotiate_info_req, Dialects) +
                        le16_to_cpu(neg_req->DialectCount) * sizeof(__le16))
                return -EINVAL;