cifs: parse_dfs_referrals: prevent oob on malformed input

commit 6447b0e355562a1ff748c4a2ffb89aae7e84d2c9 upstream.

Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS

- reply smaller than sizeof(struct get_dfs_referral_rsp)
- reply with number of referrals smaller than NumberOfReferrals in the
header

Processing of such replies will cause oob.

Return -EINVAL error on such replies to prevent oob-s.

Signed-off-by: Eugene Korenevsky <ekorenevsky@aliyun.com>
Cc: stable@vger.kernel.org
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c
index 499f791df77998bcb8d988126f30b22b5f245358..3f3f184f7fb97b9c535a9e4c37257985dfffc321 100644 (file)
--- a/fs/smb/client/misc.c
+++ b/fs/smb/client/misc.c
@@ -913,6 +913,14 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size,
        char *data_end;
        struct dfs_referral_level_3 *ref;
 
+       if (rsp_size < sizeof(*rsp)) {
+               cifs_dbg(VFS | ONCE,
+                        "%s: header is malformed (size is %u, must be %zu)\n",
+                        __func__, rsp_size, sizeof(*rsp));
+               rc = -EINVAL;
+               goto parse_DFS_referrals_exit;
+       }
+
        *num_of_nodes = le16_to_cpu(rsp->NumberOfReferrals);
 
        if (*num_of_nodes < 1) {
@@ -922,6 +930,15 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size,
                goto parse_DFS_referrals_exit;
        }
 
+       if (sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3) > rsp_size) {
+               cifs_dbg(VFS | ONCE,
+                        "%s: malformed buffer (size is %u, must be at least %zu)\n",
+                        __func__, rsp_size,
+                        sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3));
+               rc = -EINVAL;
+               goto parse_DFS_referrals_exit;
+       }
+
        ref = (struct dfs_referral_level_3 *) &(rsp->referrals);
        if (ref->VersionNumber != cpu_to_le16(3)) {
                cifs_dbg(VFS, "Referrals of V%d version are not supported, should be V3\n",