This is a note to let you know that I've just added the patch titled
smb: client: fix OOB in receive_encrypted_standard()
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
smb-client-fix-oob-in-receive_encrypted_standard.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable+bounces-19446-greg=kroah.com@xxxxxxxxxxxxxxx Sun Feb 11 21:54:20 2024
From: Guruswamy Basavaiah <guruswamy.basavaiah@xxxxxxxxxxxx>
Date: Mon, 12 Feb 2024 02:23:11 +0530
Subject: smb: client: fix OOB in receive_encrypted_standard()
To: stable@xxxxxxxxxxxxxxx, gregkh@xxxxxxxxxxxxxxxxxxx
Cc: ajay.kaher@xxxxxxxxxxxx, tapas.kundu@xxxxxxxxxxxx, Guruswamy Basavaiah <guruswamy.basavaiah@xxxxxxxxxxxx>, Robert Morris <rtm@xxxxxxxxxxxxx>, Paulo Alcantara <pc@xxxxxxxxxxxxx>, Steve French <stfrench@xxxxxxxxxxxxx>
Message-ID: <20240211205313.3097033-2-guruswamy.basavaiah@xxxxxxxxxxxx>
From: Paulo Alcantara <pc@xxxxxxxxxxxxx>
[ Upstream commit eec04ea119691e65227a97ce53c0da6b9b74b0b7 ]
Fix potential OOB in receive_encrypted_standard() if server returned a
large shdr->NextCommand that would end up writing off the end of
@next_buffer.
Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Robert Morris <rtm@xxxxxxxxxxxxx>
Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
[Guru: receive_encrypted_standard() is present in file smb2ops.c,
smb2ops.c file location is changed, modified patch accordingly.]
Signed-off-by: Guruswamy Basavaiah <guruswamy.basavaiah@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/cifs/smb2ops.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -5153,6 +5153,7 @@ receive_encrypted_standard(struct TCP_Se
struct smb2_sync_hdr *shdr;
unsigned int pdu_length = server->pdu_size;
unsigned int buf_size;
+ unsigned int next_cmd;
struct mid_q_entry *mid_entry;
int next_is_large;
char *next_buffer = NULL;
@@ -5181,14 +5182,15 @@ receive_encrypted_standard(struct TCP_Se
next_is_large = server->large_buf;
one_more:
shdr = (struct smb2_sync_hdr *)buf;
- if (shdr->NextCommand) {
+ next_cmd = le32_to_cpu(shdr->NextCommand);
+ if (next_cmd) {
+ if (WARN_ON_ONCE(next_cmd > pdu_length))
+ return -1;
if (next_is_large)
next_buffer = (char *)cifs_buf_get();
else
next_buffer = (char *)cifs_small_buf_get();
- memcpy(next_buffer,
- buf + le32_to_cpu(shdr->NextCommand),
- pdu_length - le32_to_cpu(shdr->NextCommand));
+ memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
}
mid_entry = smb2_find_mid(server, buf);
@@ -5212,8 +5214,8 @@ one_more:
else
ret = cifs_handle_standard(server, mid_entry);
- if (ret == 0 && shdr->NextCommand) {
- pdu_length -= le32_to_cpu(shdr->NextCommand);
+ if (ret == 0 && next_cmd) {
+ pdu_length -= next_cmd;
server->large_buf = next_is_large;
if (next_is_large)
server->bigbuf = buf = next_buffer;
Patches currently in stable-queue which might be from kroah.com@xxxxxxxxxxxxxxx are
queue-5.15/smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch
queue-5.15/smb-client-fix-parsing-of-smb3.1.1-posix-create-context.patch
queue-5.15/smb-client-fix-oob-in-receive_encrypted_standard.patch
