[PATCH RESEND] ksmbd: fix integer overflows on 32 bit systems

[Dan Carpenter <dan.carpenter@xxxxxxxxxx>]

On 32bit systems the addition operations in ipc_msg_alloc() can
potentially overflow leading to memory corruption.  Fix this using
size_add() which will ensure that the invalid allocations do not succeed.
In the callers, move the two constant values
"sizeof(struct ksmbd_rpc_command) + 1" onto the same side and use
size_add() for the user controlled values.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
I sent this patch in Oct 2023 but it wasn't applied.
https://lore.kernel.org/all/205c4ec1-7c41-4f5d-8058-501fc1b5163c@moroto.mountain/
I reviewed this code again today and it is still an issue.

 fs/smb/server/transport_ipc.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index befaf42b84cc..ec72c97b2f0b 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -242,7 +242,7 @@ static void ipc_update_last_active(void)
 static struct ksmbd_ipc_msg *ipc_msg_alloc(size_t sz)
 {
 	struct ksmbd_ipc_msg *msg;
-	size_t msg_sz = sz + sizeof(struct ksmbd_ipc_msg);
+	size_t msg_sz = size_add(sz, sizeof(struct ksmbd_ipc_msg));
 
 	msg = kvzalloc(msg_sz, KSMBD_DEFAULT_GFP);
 	if (msg)
@@ -626,8 +626,8 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len)
 	struct ksmbd_spnego_authen_request *req;
 	struct ksmbd_spnego_authen_response *resp;
 
-	msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +
-			blob_len + 1);
+	msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_spnego_authen_request) + 1,
+				     blob_len));
 	if (!msg)
 		return NULL;
 
@@ -805,7 +805,8 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle
 	struct ksmbd_rpc_command *req;
 	struct ksmbd_rpc_command *resp;
 
-	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
+	msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1,
+				     payload_sz));
 	if (!msg)
 		return NULL;
 
@@ -853,7 +854,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle
 	struct ksmbd_rpc_command *req;
 	struct ksmbd_rpc_command *resp;
 
-	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
+	msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, payload_sz));
 	if (!msg)
 		return NULL;
 
@@ -878,7 +879,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payloa
 	struct ksmbd_rpc_command *req;
 	struct ksmbd_rpc_command *resp;
 
-	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);
+	msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, payload_sz));
 	if (!msg)
 		return NULL;
 
-- 
2.45.2