cifs: fix underflow in parse_server_interfaces()

PlaidCat · PlaidCat · commit e91cd266c1c8 · 2024-09-12T13:27:01.000-04:00
jira LE-1907 cve CVE-2024-26828 Rebuild_History Non-Buildable kernel-5.14.0-427.31.1.el9_4 commit-author Dan Carpenter <dan.carpenter@linaro.org> commit cffe487 In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending. Fixes: fe856be ("CIFS: parse and store info on iface queries") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit cffe487) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
@@ -609,7 +609,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
 		goto out;
 	}
 
-	while (bytes_left >= sizeof(*p)) {
+	while (bytes_left >= (ssize_t)sizeof(*p)) {
 		memset(&tmp_iface, 0, sizeof(tmp_iface));
 		tmp_iface.speed = le64_to_cpu(p->LinkSpeed);
 		tmp_iface.rdma_capable = le32_to_cpu(p->Capability & RDMA_CAPABLE) ? 1 : 0;

Original file line number	Diff line number	Diff line change
`@@ -609,7 +609,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,`
`609`	`609`	`goto out;`
`610`	`610`	`}`
`611`	`611`
`612`		`- while (bytes_left >= sizeof(*p)) {`
	`612`	`+ while (bytes_left >= (ssize_t)sizeof(*p)) {`
`613`	`613`	`memset(&tmp_iface, 0, sizeof(tmp_iface));`
`614`	`614`	`tmp_iface.speed = le64_to_cpu(p->LinkSpeed);`
`615`	`615`	`tmp_iface.rdma_capable = le32_to_cpu(p->Capability & RDMA_CAPABLE) ? 1 : 0;`