cifs: Validate content of WSL reparse point buffers

[ Upstream commit 1f48660667efb97c3cf70485c7e1977af718b48b ]

WSL socket, fifo, char and block devices have empty reparse buffer.
Validate the length of the reparse buffer.

Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: cad3fc0a4c8c ("cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point()")
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index e56a8df23fec9aed3bc04fde2f18da826cb5bebc..bd8808e50d127a80b9714622b6de9abc3f1be520 100644 (file)
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -651,6 +651,11 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
        case IO_REPARSE_TAG_LX_FIFO:
        case IO_REPARSE_TAG_LX_CHR:
        case IO_REPARSE_TAG_LX_BLK:
+               if (le16_to_cpu(buf->ReparseDataLength) != 0) {
+                       cifs_dbg(VFS, "srv returned malformed buffer for reparse point: 0x%08x\n",
+                                le32_to_cpu(buf->ReparseTag));
+                       return -EIO;
+               }
                break;
        default:
                cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",