ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

JordyZomer · smfrench · commit 313dab082289 · 2024-12-01T17:31:19.000-06:00
An offset from client could be a negative value, It could allows
to write data outside the bounds of the allocated buffer.
Note that this issue is coming when setting
'vfs objects = streams_xattr parameter' in ksmbd.conf.

Cc: stable@vger.kernel.org # v5.15+
Reported-by: Jordy Zomer &lt;jordyzomer@google.com&gt;
Signed-off-by: Jordy Zomer &lt;jordyzomer@google.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
@@ -6882,6 +6882,8 @@ int smb2_write(struct ksmbd_work *work)
 	}
 
 	offset = le64_to_cpu(req->Offset);
+	if (offset < 0)
+		return -EINVAL;
 	length = le32_to_cpu(req->Length);
 
 	if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||

Original file line number	Diff line number	Diff line change
`@@ -6882,6 +6882,8 @@ int smb2_write(struct ksmbd_work *work)`
`6882`	`6882`	`}`
`6883`	`6883`
`6884`	`6884`	`offset = le64_to_cpu(req->Offset);`
	`6885`	`+ if (offset < 0)`
	`6886`	`+ return -EINVAL;`
`6885`	`6887`	`length = le32_to_cpu(req->Length);`
`6886`	`6888`
`6887`	`6889`	`if (req->Channel == SMB2_CHANNEL_RDMA_V1 \|\|`