ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()

[ Upstream commit d10c77873ba1e9e6b91905018e29e196fd5f863d ]

If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length,
ksmbd_check_message doesn't validate request buffer it correctly.
So slab-out-of-bounds warning from calling smb_strndup_from_utf16()
in smb2_open() could happen. If ->NameLength is non-zero, Set the larger
of the two sums (Name and CreateContext size) as the offset and length of
the data area.

Reported-by: Yang Chaoming <lometsj@live.com>
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/smb/server/smb2misc.c b/fs/smb/server/smb2misc.c
index 03dded29a9804205f7f96802d99beb28a1c8eaf9..7c872ffb4b0a9821bc6ed4c5d5fe394a74d15a31 100644 (file)
--- a/fs/smb/server/smb2misc.c
+++ b/fs/smb/server/smb2misc.c
@@ -107,7 +107,10 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
        case SMB2_CREATE:
        {
                unsigned short int name_off =
-                       le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);
+                       max_t(unsigned short int,
+                             le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset),
+                             offsetof(struct smb2_create_req, Buffer));
+
                unsigned short int name_len =
                        le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);