cifs: check offset in decode_ntlmssp_challenge()
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 31 Jan 2012 08:52:01 +0000 (11:52 +0300)
committerSteve French <smfrench@gmail.com>
Tue, 31 Jan 2012 13:42:06 +0000 (07:42 -0600)
We should check that we're not copying memory from beyond the end of the
blob.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
fs/cifs/sess.c

index d85efad..eb76741 100644 (file)
@@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
        ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
        tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
        tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
+       if (tioffset > blob_len || tioffset + tilen > blob_len) {
+               cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
+               return -EINVAL;
+       }
        if (tilen) {
                ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
                if (!ses->auth_key.response) {