merged this 4 patch series into cifs-2.6.git for-next pending
additional review and testing
On Thu, Jan 18, 2024 at 10:08 PM Paulo Alcantara <pc@xxxxxxxxxxxxx> wrote:
>
> The data offset for the SMB3.1.1 POSIX create context will always be
> 8-byte aligned so having the check 'noff + nlen >= doff' in
> smb2_parse_contexts() is wrong as it will lead to -EINVAL because noff
> + nlen == doff.
>
> Fix the sanity check to correctly handle aligned create context data.
>
> Fixes: af1689a9b770 ("smb: client: fix potential OOBs in smb2_parse_contexts()")
> Signed-off-by: Paulo Alcantara <pc@xxxxxxxxxxxxx>
> ---
> fs/smb/client/smb2pdu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> index 44abd4deb9eb..288199f0b987 100644
> --- a/fs/smb/client/smb2pdu.c
> +++ b/fs/smb/client/smb2pdu.c
> @@ -2308,7 +2308,7 @@ int smb2_parse_contexts(struct TCP_Server_Info *server,
>
> noff = le16_to_cpu(cc->NameOffset);
> nlen = le16_to_cpu(cc->NameLength);
> - if (noff + nlen >= doff)
> + if (noff + nlen > doff)
> return -EINVAL;
>
> name = (char *)cc + noff;
> --
> 2.43.0
>
--
Thanks,
Steve
