ksmbd: add bounds check for durable handle context

author Namjae Jeon <linkinjeon@kernel.org>

Fri, 14 Mar 2025 09:21:47 +0000 (18:21 +0900)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 10 Apr 2025 12:37:43 +0000 (14:37 +0200)
author Namjae Jeon <linkinjeon@kernel.org>
Fri, 14 Mar 2025 09:21:47 +0000 (18:21 +0900)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 10 Apr 2025 12:37:43 +0000 (14:37 +0200)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c

index 2030052421881e7fce3a00a91f3e15b068c3bde5..17dfb5e7d66c8dbf60d3206b0b3a060670d720c4 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2700,6 +2700,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                 goto out;
                         }
  
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_reconn_v2_req)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                         recon_v2 = (struct create_durable_reconn_v2_req *)context;
                         persistent_id = recon_v2->Fid.PersistentFileId;
                         dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
@@ -2733,6 +2740,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                 goto out;
                         }
  
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_reconn_req)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                         recon = (struct create_durable_reconn_req *)context;
                         persistent_id = recon->Data.Fid.PersistentFileId;
                         dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
@@ -2758,6 +2772,13 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
                                 goto out;
                         }
  
+                       if (le16_to_cpu(context->DataOffset) +
+                               le32_to_cpu(context->DataLength) <
+                           sizeof(struct create_durable_req_v2)) {
+                               err = -EINVAL;
+                               goto out;
+                       }
+
                         durable_v2_blob =
                                 (struct create_durable_req_v2 *)context;
                         ksmbd_debug(SMB, "Request for durable v2 open\n");
author	Namjae Jeon <linkinjeon@kernel.org>
	Fri, 14 Mar 2025 09:21:47 +0000 (18:21 +0900)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 10 Apr 2025 12:37:43 +0000 (14:37 +0200)