]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3980770)
ksmbd: validate zero num_subauth before sub_auth is accessed
authorNorbert Szetei <norbert@doyensec.com>
Sat, 29 Mar 2025 16:06:01 +0000 (16:06 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 10 Apr 2025 12:37:43 +0000 (14:37 +0200)
commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 upstream.

Access psid->sub_auth[psid->num_subauth - 1] without checking
if num_subauth is non-zero leads to an out-of-bounds read.
This patch adds a validation step to ensure num_subauth != 0
before sub_auth is accessed.

Cc: stable@vger.kernel.org
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/smb/server/smbacl.c patch | blob | blame | history

diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index 109036e2227ca1173fad8d02418585c54a228499..b90f893762f447f74caddf7edad5258ada8de418 100644 (file)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *idmap,
                return -EIO;
        }
 
+       if (psid->num_subauth == 0) {
+               pr_err("%s: zero subauthorities!\n", __func__);
+               return -EIO;
+       }
+
        if (sidtype == SIDOWNER) {
                kuid_t uid;
                uid_t id;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git