Skip to content

Commit 17cf0c2

Browse files
namjaejeonsmfrench
authored andcommitted
ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent c119f4e commit 17cf0c2

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

fs/smb/server/smb2pdu.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -535,6 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
535535
if (cmd == SMB2_QUERY_INFO_HE) {
536536
struct smb2_query_info_req *req;
537537

538+
if (get_rfc1002_len(work->request_buf) <
539+
offsetof(struct smb2_query_info_req, OutputBufferLength))
540+
return -EINVAL;
541+
538542
req = smb2_get_msg(work->request_buf);
539543
if ((req->InfoType == SMB2_O_INFO_FILE &&
540544
(req->FileInfoClass == FILE_FULL_EA_INFORMATION ||

0 commit comments

Comments
 (0)