ksmbd: fix wrong UserName check in session_user
commit f0a96d1aaf
upstream.
The offset of UserName is related to the address of security
buffer. To ensure the validaty of UserName, we need to compare name_off
+ name_len with secbuf_len instead of auth_msg_len.
[ 27.096243] ==================================================================
[ 27.096890] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x188/0x350
[ 27.097609] Read of size 2 at addr ffff888005e3b542 by task kworker/0:0/7
...
[ 27.099950] Call Trace:
[ 27.100194] <TASK>
[ 27.100397] dump_stack_lvl+0x33/0x50
[ 27.100752] print_report+0xcc/0x620
[ 27.102305] kasan_report+0xae/0xe0
[ 27.103072] kasan_check_range+0x35/0x1b0
[ 27.103757] smb_strndup_from_utf16+0x188/0x350
[ 27.105474] smb2_sess_setup+0xaf8/0x19c0
[ 27.107935] handle_ksmbd_work+0x274/0x810
[ 27.108315] process_one_work+0x419/0x760
[ 27.108689] worker_thread+0x2a2/0x6f0
[ 27.109385] kthread+0x160/0x190
[ 27.110129] ret_from_fork+0x1f/0x30
[ 27.110454] </TASK>
Cc: stable@vger.kernel.org
Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Родитель
61e043326e
Коммит
7657321b26
|
@ -1387,7 +1387,7 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn,
|
|||
struct authenticate_message *authblob;
|
||||
struct ksmbd_user *user;
|
||||
char *name;
|
||||
unsigned int auth_msg_len, name_off, name_len, secbuf_len;
|
||||
unsigned int name_off, name_len, secbuf_len;
|
||||
|
||||
secbuf_len = le16_to_cpu(req->SecurityBufferLength);
|
||||
if (secbuf_len < sizeof(struct authenticate_message)) {
|
||||
|
@ -1397,9 +1397,8 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn,
|
|||
authblob = user_authblob(conn, req);
|
||||
name_off = le32_to_cpu(authblob->UserName.BufferOffset);
|
||||
name_len = le16_to_cpu(authblob->UserName.Length);
|
||||
auth_msg_len = le16_to_cpu(req->SecurityBufferOffset) + secbuf_len;
|
||||
|
||||
if (auth_msg_len < (u64)name_off + name_len)
|
||||
if (secbuf_len < (u64)name_off + name_len)
|
||||
return NULL;
|
||||
|
||||
name = smb_strndup_from_utf16((const char *)authblob + name_off,
|
||||
|
|
Загрузка…
Ссылка в новой задаче