ksmbd: fix buffer validation by including null terminator size in EA length

The smb2_set_ea function, which handles Extended Attributes (EA),
was performing buffer validation checks that incorrectly omitted the size
of the null terminating character (+1 byte) for EA Name.
This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
the null terminator is expected to be present in the buffer, ensuring
the validation accurately reflects the total required buffer size.

Cc: stable@vger.kernel.org
Reported-by: Roger <roger.andersen@protonmail.com>
Reported-by: Stanislas Polu <spolu@dust.tt>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 27f87a13f20a7533d29801b48d9f2f119a4ea182..8aa483800014d0522d91a76c6b09e0b9d1edd247 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2363,7 +2363,7 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, unsigned int buf_len,
        int rc = 0;
        unsigned int next = 0;
 
-       if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
+       if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
                        le16_to_cpu(eabuf->EaValueLength))
                return -EINVAL;
 
@@ -2440,7 +2440,7 @@ next:
                        break;
                }
 
-               if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
+               if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
                                le16_to_cpu(eabuf->EaValueLength)) {
                        rc = -EINVAL;
                        break;