Commit f0a96d1
ksmbd: fix wrong UserName check in session_user
The offset of UserName is related to the address of security
buffer. To ensure the validaty of UserName, we need to compare name_off
+ name_len with secbuf_len instead of auth_msg_len.
[ 27.096243] ==================================================================
[ 27.096890] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x188/0x350
[ 27.097609] Read of size 2 at addr ffff888005e3b542 by task kworker/0:0/7
...
[ 27.099950] Call Trace:
[ 27.100194] <TASK>
[ 27.100397] dump_stack_lvl+0x33/0x50
[ 27.100752] print_report+0xcc/0x620
[ 27.102305] kasan_report+0xae/0xe0
[ 27.103072] kasan_check_range+0x35/0x1b0
[ 27.103757] smb_strndup_from_utf16+0x188/0x350
[ 27.105474] smb2_sess_setup+0xaf8/0x19c0
[ 27.107935] handle_ksmbd_work+0x274/0x810
[ 27.108315] process_one_work+0x419/0x760
[ 27.108689] worker_thread+0x2a2/0x6f0
[ 27.109385] kthread+0x160/0x190
[ 27.110129] ret_from_fork+0x1f/0x30
[ 27.110454] </TASK>
Cc: stable@vger.kernel.org
Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>1 parent 02f76c4 commit f0a96d1
1 file changed
+2
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1356 | 1356 | | |
1357 | 1357 | | |
1358 | 1358 | | |
1359 | | - | |
| 1359 | + | |
1360 | 1360 | | |
1361 | 1361 | | |
1362 | 1362 | | |
| |||
1366 | 1366 | | |
1367 | 1367 | | |
1368 | 1368 | | |
1369 | | - | |
1370 | 1369 | | |
1371 | | - | |
| 1370 | + | |
1372 | 1371 | | |
1373 | 1372 | | |
1374 | 1373 | | |
| |||
0 commit comments