未验证 提交 65aa72b1 编写于 作者: O openeuler-ci-bot 提交者: Gitee

!1674 [sync] PR-1596: ksmbd: fix out-of-bound read in deassemble_neg_contexts()

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1596 
 
PR sync from: Li Lingfeng <lilingfeng3@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MKD6POKWLXC45KXPZXCZ7N52MPOZMNAR/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7LU2Q 
 
Link:https://gitee.com/openeuler/kernel/pulls/1674 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
...@@ -978,13 +978,13 @@ static void decode_sign_cap_ctxt(struct ksmbd_conn *conn, ...@@ -978,13 +978,13 @@ static void decode_sign_cap_ctxt(struct ksmbd_conn *conn,
static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
struct smb2_negotiate_req *req, struct smb2_negotiate_req *req,
int len_of_smb) unsigned int len_of_smb)
{ {
/* +4 is to account for the RFC1001 len field */ /* +4 is to account for the RFC1001 len field */
struct smb2_neg_context *pctx = (struct smb2_neg_context *)req; struct smb2_neg_context *pctx = (struct smb2_neg_context *)req;
int i = 0, len_of_ctxts; int i = 0, len_of_ctxts;
int offset = le32_to_cpu(req->NegotiateContextOffset); unsigned int offset = le32_to_cpu(req->NegotiateContextOffset);
int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount); unsigned int neg_ctxt_cnt = le16_to_cpu(req->NegotiateContextCount);
__le32 status = STATUS_INVALID_PARAMETER; __le32 status = STATUS_INVALID_PARAMETER;
ksmbd_debug(SMB, "decoding %d negotiate contexts\n", neg_ctxt_cnt); ksmbd_debug(SMB, "decoding %d negotiate contexts\n", neg_ctxt_cnt);
...@@ -1002,7 +1002,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, ...@@ -1002,7 +1002,7 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
if (len_of_ctxts == 0) if (len_of_ctxts == 0)
break; break;
if (len_of_ctxts < sizeof(struct smb2_neg_context)) if (len_of_ctxts < (int)sizeof(struct smb2_neg_context))
break; break;
pctx = (struct smb2_neg_context *)((char *)pctx + offset); pctx = (struct smb2_neg_context *)((char *)pctx + offset);
...@@ -1053,9 +1053,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, ...@@ -1053,9 +1053,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
} }
/* offsets must be 8 byte aligned */ /* offsets must be 8 byte aligned */
clen = (clen + 7) & ~0x7; offset = (clen + sizeof(struct smb2_neg_context) + 7) & ~0x7;
offset = clen + sizeof(struct smb2_neg_context); len_of_ctxts -= offset;
len_of_ctxts -= clen + sizeof(struct smb2_neg_context);
} }
return status; return status;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册