This is a note to let you know that I've just added the patch titled
ksmbd: allocate one more byte for implied bcc[0]
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ksmbd-allocate-one-more-byte-for-implied-bcc.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 443d61d1fa9faa60ef925513d83742902390100f Mon Sep 17 00:00:00 2001
From: Chih-Yen Chang <cc85nod@xxxxxxxxx>
Date: Sat, 6 May 2023 00:03:54 +0900
Subject: ksmbd: allocate one more byte for implied bcc[0]
From: Chih-Yen Chang <cc85nod@xxxxxxxxx>
commit 443d61d1fa9faa60ef925513d83742902390100f upstream.
ksmbd_smb2_check_message allows client to return one byte more, so we
need to allocate additional memory in ksmbd_conn_handler_loop to avoid
out-of-bound access.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Chih-Yen Chang <cc85nod@xxxxxxxxx>
Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ksmbd/connection.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -320,7 +320,8 @@ int ksmbd_conn_handler_loop(void *p)
break;
/* 4 for rfc1002 length field */
- size = pdu_size + 4;
+ /* 1 for implied bcc[0] */
+ size = pdu_size + 4 + 1;
conn->request_buf = kvmalloc(size, GFP_KERNEL);
if (!conn->request_buf)
break;
Patches currently in stable-queue which might be from cc85nod@xxxxxxxxx are
queue-5.15/ksmbd-fix-wrong-username-check-in-session_user.patch
queue-5.15/ksmbd-allocate-one-more-byte-for-implied-bcc.patch
queue-5.15/ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch
