lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20211115165458.519042615@linuxfoundation.org>
Date:   Mon, 15 Nov 2021 18:06:04 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org, Namjae Jeon <linkinjeon@...nel.org>,
        Hyunchul Lee <hyc.lee@...il.com>,
        Marios Makassikis <mmakassikis@...ebox.fr>,
        Steve French <stfrench@...rosoft.com>
Subject: [PATCH 5.15 869/917] ksmbd: Fix buffer length check in fsctl_validate_negotiate_info()

From: Marios Makassikis <mmakassikis@...ebox.fr>

commit 78f1688a64cca77758ceb9b183088cf0054bfc82 upstream.

The validate_negotiate_info_req struct definition includes an extra
field to access the data coming after the header. This causes the check
in fsctl_validate_negotiate_info() to count the first element of the
array twice. This in turn makes some valid requests fail, depending on
whether they include padding or not.

Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl")
Cc: stable@...r.kernel.org # v5.15
Acked-by: Namjae Jeon <linkinjeon@...nel.org>
Acked-by: Hyunchul Lee <hyc.lee@...il.com>
Signed-off-by: Marios Makassikis <mmakassikis@...ebox.fr>
Signed-off-by: Steve French <stfrench@...rosoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
 fs/ksmbd/smb2pdu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7319,7 +7319,7 @@ static int fsctl_validate_negotiate_info
 	int ret = 0;
 	int dialect;
 
-	if (in_buf_len < sizeof(struct validate_negotiate_info_req) +
+	if (in_buf_len < offsetof(struct validate_negotiate_info_req, Dialects) +
 			le16_to_cpu(neg_req->DialectCount) * sizeof(__le16))
 		return -EINVAL;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ