]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 108d6b3)
cifs: add validation check for the fields in smb_aces
authorNamjae Jeon <linkinjeon@kernel.org>
Wed, 12 Feb 2025 08:52:19 +0000 (17:52 +0900)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 29 May 2025 09:12:26 +0000 (11:12 +0200)
[ Upstream commit eeb827f2922eb07ffbf7d53569cc95b38272646f ]

cifs.ko is missing validation check when accessing smb_aces.
This patch add validation check for the fields in smb_aces.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
fs/smb/client/cifsacl.c patch | blob | blame | history

diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c
index 64bd68f750f84229ff8cd768576d93a40fb6f700..f9d577f2d59bb08498b9a2d24c47590ffad7727a 100644 (file)
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -811,7 +811,23 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
                        return;
 
                for (i = 0; i < num_aces; ++i) {
+                       if (end_of_acl - acl_base < acl_size)
+                               break;
+
                        ppace[i] = (struct smb_ace *) (acl_base + acl_size);
+                       acl_base = (char *)ppace[i];
+                       acl_size = offsetof(struct smb_ace, sid) +
+                               offsetof(struct smb_sid, sub_auth);
+
+                       if (end_of_acl - acl_base < acl_size ||
+                           ppace[i]->sid.num_subauth == 0 ||
+                           ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+                           (end_of_acl - acl_base <
+                            acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
+                           (le16_to_cpu(ppace[i]->size) <
+                            acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))
+                               break;
+
 #ifdef CONFIG_CIFS_DEBUG2
                        dump_ace(ppace[i], end_of_acl);
 #endif
@@ -855,7 +871,6 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
                                (void *)ppace[i],
                                sizeof(struct smb_ace)); */
 
-                       acl_base = (char *)ppace[i];
                        acl_size = le16_to_cpu(ppace[i]->size);
                }
 
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git