ksmbd: validate compound response buffer

author Namjae Jeon <linkinjeon@kernel.org>

Mon, 11 Oct 2021 10:15:25 +0000 (19:15 +0900)

committer Steve French <stfrench@microsoft.com>

Thu, 14 Oct 2021 04:37:19 +0000 (23:37 -0500)
author Namjae Jeon <linkinjeon@kernel.org>
Mon, 11 Oct 2021 10:15:25 +0000 (19:15 +0900)
committer Steve French <stfrench@microsoft.com>
Thu, 14 Oct 2021 04:37:19 +0000 (23:37 -0500)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c

index 7b4689f2df499eb60b26e34b2f442e1e60d9e3dd..89c187aa8db28235d00feae2b37ed3dfde127469 100644 (file)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -449,6 +449,12 @@ bool is_chained_smb2_message(struct ksmbd_work *work)
                         return false;
                 }
  
+               if ((u64)get_rfc1002_len(work->response_buf) + MAX_CIFS_SMALL_BUFFER_SIZE >
+                   work->response_sz) {
+                       pr_err("next response offset exceeds response buffer size\n");
+                       return false;
+               }
+
                 ksmbd_debug(SMB, "got SMB2 chained command\n");
                 init_chained_smb2_rsp(work);
                 return true;
author	Namjae Jeon <linkinjeon@kernel.org>
	Mon, 11 Oct 2021 10:15:25 +0000 (19:15 +0900)
committer	Steve French <stfrench@microsoft.com>
	Thu, 14 Oct 2021 04:37:19 +0000 (23:37 -0500)