If ->DataOffset of create context is 0, DataBuffer size is not correctly validated. This patch change wrong validation code and consider tag length in request. Reported-by: zdi-disclosures@xxxxxxxxxxxxxx # ZDI-CAN-21824 Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> --- fs/smb/server/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c index 6bc8a1e48171..9bc0103720f5 100644 --- a/fs/smb/server/oplock.c +++ b/fs/smb/server/oplock.c @@ -1481,7 +1481,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag, i name_len < 4 || name_off + name_len > cc_len || (value_off & 0x7) != 0 || - (value_off && (value_off < name_off + name_len)) || + (value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) || ((u64)value_off + value_len > cc_len)) return ERR_PTR(-EINVAL); -- 2.25.1