cifs: prevent copying past input buffer boundaries

commit 9ee2afe5207b63b20426ee081f486d831bae871d upstream.

Prevent copying past @data buffer in smb2_validate_and_copy_iov() as
the output buffer in @iov might be potentially bigger and thus copying
more bytes than requested in @minbufsize.

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Cc: Georg Müller <georgmueller@gmx.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index aa0245268d40ee025d30e956078a0474e04a5b00..6a12279671978e29185d2ffb65b6e265552e612f 100644 (file)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3481,7 +3481,7 @@ smb2_validate_and_copy_iov(unsigned int offset, unsigned int buffer_length,
        if (rc)
                return rc;
 
-       memcpy(data, begin_of_buf, buffer_length);
+       memcpy(data, begin_of_buf, minbufsize);
 
        return 0;
 }
@@ -3605,7 +3605,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
 
        rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
                                        le32_to_cpu(rsp->OutputBufferLength),
-                                       &rsp_iov, min_len, *data);
+                                       &rsp_iov, dlen ? *dlen : min_len, *data);
        if (rc && allocated) {
                kfree(*data);
                *data = NULL;