ksmbd: add bounds check for durable handle context

author Namjae Jeon <linkinjeon@kernel.org>

Fri, 14 Mar 2025 09:21:47 +0000 (18:21 +0900)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 10 Apr 2025 12:39:38 +0000 (14:39 +0200)
author Namjae Jeon <linkinjeon@kernel.org>
Fri, 14 Mar 2025 09:21:47 +0000 (18:21 +0900)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 10 Apr 2025 12:39:38 +0000 (14:39 +0200)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c

index 5b94d90870b0d95c275db927ab7ec38cfef7d2fd..1c7433aaad29851b197b1196715e9ce3bfdedff3 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2699,6 +2699,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                 goto out;
                         }
  
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_reconn_v2_req)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                         recon_v2 = (struct create_durable_reconn_v2_req *)context;
                         persistent_id = recon_v2->Fid.PersistentFileId;
                         dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
@@ -2732,6 +2739,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                 goto out;
                         }
  
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_reconn_req)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                         recon = (struct create_durable_reconn_req *)context;
                         persistent_id = recon->Data.Fid.PersistentFileId;
                         dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
@@ -2757,6 +2771,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                 goto out;
                         }
  
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_req_v2)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                         durable_v2_blob =
                                 (struct create_durable_req_v2 *)context;
                         ksmbd_debug(SMB, "Request for durable v2 open\n");
author	Namjae Jeon <linkinjeon@kernel.org>
	Fri, 14 Mar 2025 09:21:47 +0000 (18:21 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 10 Apr 2025 12:39:38 +0000 (14:39 +0200)