Skip to content

Commit 7c9dde4

Browse files
ciq-sahlbergPlaidCat
ciq-sahlberg
authored and
PlaidCat
committed
smb: client: fix OOB in receive_encrypted_standard()
jira SECO-47 cve CVE-2024-0565 commit eec04ea upstream-diff no diff for the file content but the file location has changed from fs/cifs/ to fs/smb/client/ Fix potential OOB in receive_encrypted_standard() if server returned a large shdr->NextCommand that would end up writing off the end of @next_buffer. Fixes: b24df3e ("cifs: update receive_encrypted_standard to handle compounded responses") Cc: stable@vger.kernel.org Reported-by: Robert Morris <rtm@csail.mit.edu> Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Ronnie Sahlberg <rsahlberg@ciq.com>
1 parent f6bbf85 commit 7c9dde4

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

fs/cifs/smb2ops.c

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4884,6 +4884,7 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
48844884
struct smb2_sync_hdr *shdr;
48854885
unsigned int pdu_length = server->pdu_size;
48864886
unsigned int buf_size;
4887+
unsigned int next_cmd;
48874888
struct mid_q_entry *mid_entry;
48884889
int next_is_large;
48894890
char *next_buffer = NULL;
@@ -4912,14 +4913,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
49124913
next_is_large = server->large_buf;
49134914
one_more:
49144915
shdr = (struct smb2_sync_hdr *)buf;
4915-
if (shdr->NextCommand) {
4916+
next_cmd = le32_to_cpu(shdr->NextCommand);
4917+
if (next_cmd) {
4918+
if (WARN_ON_ONCE(next_cmd > pdu_length))
4919+
return -1;
49164920
if (next_is_large)
49174921
next_buffer = (char *)cifs_buf_get();
49184922
else
49194923
next_buffer = (char *)cifs_small_buf_get();
4920-
memcpy(next_buffer,
4921-
buf + le32_to_cpu(shdr->NextCommand),
4922-
pdu_length - le32_to_cpu(shdr->NextCommand));
4924+
memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
49234925
}
49244926

49254927
mid_entry = smb2_find_mid(server, buf);
@@ -4943,8 +4945,8 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
49434945
else
49444946
ret = cifs_handle_standard(server, mid_entry);
49454947

4946-
if (ret == 0 && shdr->NextCommand) {
4947-
pdu_length -= le32_to_cpu(shdr->NextCommand);
4948+
if (ret == 0 && next_cmd) {
4949+
pdu_length -= next_cmd;
49484950
server->large_buf = next_is_large;
49494951
if (next_is_large)
49504952
server->bigbuf = buf = next_buffer;

0 commit comments

Comments
 (0)