ksmbd: fix integer overflows on 32 bit systems

[ Upstream commit aab98e2dbd648510f8f51b83fbf4721206ccae45 ]

On 32bit systems the addition operations in ipc_msg_alloc() can
potentially overflow leading to memory corruption.
Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c
index d62ebbff1e0f4b65978a8f38ec25dc00a8e77c42..0d096a11ba30e0a205311b2ee7435b1f6ce389d4 100644 (file)
--- a/fs/ksmbd/transport_ipc.c
+++ b/fs/ksmbd/transport_ipc.c
@@ -566,6 +566,9 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len)
        struct ksmbd_spnego_authen_request *req;
        struct ksmbd_spnego_authen_response *resp;
 
+       if (blob_len > KSMBD_IPC_MAX_PAYLOAD)
+               return NULL;
+
        msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +
                        blob_len + 1);
        if (!msg)
@@ -745,6 +748,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle
        struct ksmbd_rpc_command *req;
        struct ksmbd_rpc_command *resp;
 
+       if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)
+               return NULL;
+
        msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
        if (!msg)
                return NULL;
@@ -793,6 +799,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle
        struct ksmbd_rpc_command *req;
        struct ksmbd_rpc_command *resp;
 
+       if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)
+               return NULL;
+
        msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
        if (!msg)
                return NULL;