]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7805d1e)
ksmbd: fix integer overflows on 32 bit systems
authorDan Carpenter <dan.carpenter@linaro.org>
Wed, 15 Jan 2025 00:28:35 +0000 (09:28 +0900)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 21 Feb 2025 12:49:39 +0000 (13:49 +0100)
commit aab98e2dbd648510f8f51b83fbf4721206ccae45 upstream.

On 32bit systems the addition operations in ipc_msg_alloc() can
potentially overflow leading to memory corruption.
Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/smb/server/transport_ipc.c patch | blob | blame | history

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 8752ac82c557bf92985bd4d87a3e37f4cd4a60dc..496855f755ac66604fc021c4598c3ff914962e38 100644 (file)
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -567,6 +567,9 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len)
        struct ksmbd_spnego_authen_request *req;
        struct ksmbd_spnego_authen_response *resp;
 
+       if (blob_len > KSMBD_IPC_MAX_PAYLOAD)
+               return NULL;
+
        msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +
                        blob_len + 1);
        if (!msg)
@@ -746,6 +749,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle
        struct ksmbd_rpc_command *req;
        struct ksmbd_rpc_command *resp;
 
+       if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)
+               return NULL;
+
        msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
        if (!msg)
                return NULL;
@@ -794,6 +800,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle
        struct ksmbd_rpc_command *req;
        struct ksmbd_rpc_command *resp;
 
+       if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)
+               return NULL;
+
        msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
        if (!msg)
                return NULL;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git