Re: [PATCH 4/4] ksmbd-tools: Fix potential out-of-bounds write in ndr_write_*

Hyunchul Lee <hyc.lee@xxxxxxxxx> · Wed, 2 Mar 2022 08:12:58 +0900

Looks good to me.
Reviewed-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>

2022년 3월 1일 (화) 오후 11:55, Marios Makassikis <mmakassikis@xxxxxxxxxx>님이 작성:
>
> align_offset() may advance the offset at which the data will be written,
> so it should be called before verifying that there is enough room in the
> output buffer.
>
> Signed-off-by: Marios Makassikis <mmakassikis@xxxxxxxxxx>
> ---
>  mountd/rpc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mountd/rpc.c b/mountd/rpc.c
> index 9d6402ba5281..20a445dea347 100644
> --- a/mountd/rpc.c
> +++ b/mountd/rpc.c
> @@ -294,9 +294,9 @@ static __u8 noop_int8(__u8 v)
>  #define NDR_WRITE_INT(name, type, be, le)                              \
>  int ndr_write_##name(struct ksmbd_dcerpc *dce, type value)             \
>  {                                                                      \
> +       align_offset(dce, sizeof(type));                                \
>         if (try_realloc_payload(dce, sizeof(value)))                    \
>                 return -ENOMEM;                                         \
> -       align_offset(dce, sizeof(type));                                \
>         if (dce->flags & KSMBD_DCERPC_LITTLE_ENDIAN)                    \
>                 *(type *)PAYLOAD_HEAD(dce) = le(value);                 \
>         else                                                            \
> @@ -377,10 +377,10 @@ NDR_READ_UNION(int32, __u32);
>
>  int ndr_write_bytes(struct ksmbd_dcerpc *dce, void *value, size_t sz)
>  {
> +       align_offset(dce, 2);
>         if (try_realloc_payload(dce, sizeof(short)))
>                 return -ENOMEM;
>
> -       align_offset(dce, 2);
>         memcpy(PAYLOAD_HEAD(dce), value, sz);
>         dce->offset += sz;
>         return 0;
> --
> 2.25.1
>

-- 
Thanks,
Hyunchul