On Tue, 2016-03-08 at 22:23 -0600, Steve French wrote:
> On Tue, Mar 8, 2016 at 9:47 PM, Ben Hutchings <ben@xxxxxxxxxxxxxxx> wrote:
> >
> > On Mon, 2016-03-07 at 16:02 -0800, Greg Kroah-Hartman wrote:
> > >
> > > 4.4-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Justin Maggard <jmaggard10@xxxxxxxxx>
> > >
> > > commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d upstream.
> > >
> > > When opening a file, SMB2_open() attempts to parse the lease state from the
> > > SMB2 CREATE Response. However, the parsing code was not careful to ensure
> > > that the create contexts are not empty or invalid, which can lead to out-
> > > of-bounds memory access. This can be seen easily by trying
> > > to read a file from a OSX 10.11 SMB3 server. Here is sample crash output:
[...]
> > > --- a/fs/cifs/smb2pdu.c
> > > +++ b/fs/cifs/smb2pdu.c
> > > @@ -1109,21 +1109,25 @@ parse_lease_state(struct TCP_Server_Info
> > > {
> > > char *data_offset;
> > > struct create_context *cc;
> > > - unsigned int next = 0;
> > > + unsigned int next;
> > > + unsigned int remaining;
> > > char *name;
> > >
> > > data_offset = (char *)rsp + 4 + le32_to_cpu(rsp->CreateContextsOffset);
> > > + remaining = le32_to_cpu(rsp->CreateContextsLength);
> > What if remaining is > the response length?
> Do you want to do the followon patch to check for that, or do you want me
> to write up a small patch for that?
[...]
I'm not likely to find time to dig into cifs, so please do work on the
complete fix.
Ben.
--
Ben Hutchings
When in doubt, use brute force. - Ken ThompsonAttachment:
signature.asc
Description: This is a digitally signed message part