cifs: add validation check for the fields in smb_aces

cifs.ko is missing validation check when accessing smb_aces.
This patch add validation check for the fields in smb_aces.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c
index c8676dd77fa7201ddd3c81d025933e42bbe34f0a..63b3b1290bed214e04f005d210204382396848df 100644 (file)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -811,7 +811,23 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
                        return;
 
                for (i = 0; i < num_aces; ++i) {
+                       if (end_of_acl - acl_base < acl_size)
+                               break;
+
                        ppace[i] = (struct smb_ace *) (acl_base + acl_size);
+                       acl_base = (char *)ppace[i];
+                       acl_size = offsetof(struct smb_ace, sid) +
+                               offsetof(struct smb_sid, sub_auth);
+
+                       if (end_of_acl - acl_base < acl_size ||
+                           ppace[i]->sid.num_subauth == 0 ||
+                           ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+                           (end_of_acl - acl_base <
+                            acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
+                           (le16_to_cpu(ppace[i]->size) <
+                            acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))
+                               break;
+
 #ifdef CONFIG_CIFS_DEBUG2
                        dump_ace(ppace[i], end_of_acl);
 #endif
@@ -855,7 +871,6 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
                                (void *)ppace[i],
                                sizeof(struct smb_ace)); */
 
-                       acl_base = (char *)ppace[i];
                        acl_size = le16_to_cpu(ppace[i]->size);
                }