ksmbd: fix incorrect validation for num_aces field of smb_acl

commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 upstream.

parse_dcal() validate num_aces to allocate posix_ace_state_array.

if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))

It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in request buffer
size. Use this to check invalid num_aces.

Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index 6fd3560028d3abe60ffcc6f54846c072e24d0c6f..3adab8e10a21cb30ba5ebfa78bce49f6c7f1b4ff 100644 (file)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -398,7 +398,9 @@ static void parse_dacl(struct user_namespace *user_ns,
        if (num_aces <= 0)
                return;
 
-       if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
+       if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
+                       (offsetof(struct smb_ace, sid) +
+                        offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
                return;
 
        ret = init_acl_state(&acl_state, num_aces);
@@ -432,6 +434,7 @@ static void parse_dacl(struct user_namespace *user_ns,
                        offsetof(struct smb_sid, sub_auth);
 
                if (end_of_acl - acl_base < acl_size ||
+                   ppace[i]->sid.num_subauth == 0 ||
                    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
                    (end_of_acl - acl_base <
                     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||