ksmbd: validate length in smb2_write()
mainline inclusion from mainline-v5.18-rc6 commit 158a66b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I67AMR CVE: CVE-2022-47940 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=158a66b245739e15858de42c0ba60fcf3de9b8e6 -------------------------------- The SMB2 Write packet contains data that is to be written to a file or to a pipe. Depending on the client, there may be padding between the header and the data field. Currently, the length is validated only in the case padding is present. Since the DataOffset field always points to the beginning of the data, there is no need to have a special case for padding. By removing this, the length is validated in both cases. Signed-off-by: NMarios Makassikis <mmakassikis@freebox.fr> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> conflicts: fs/ksmbd/smb2pdu.c Signed-off-by: NLong Li <leo.lilong@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
Showing
想要评论请 注册 或 登录