summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorWilliam Liu <will@willsroot.io>2022-12-30 05:03:15 +0100
committerSteve French <stfrench@microsoft.com>2023-01-02 05:49:24 +0100
commit797805d81baa814f76cf7bdab35f86408a79d707 (patch)
tree58f3095507d810f88c68b0cc001d9887f997c1cd /fs
parentksmbd: send proper error response in smb2_tree_connect() (diff)
downloadlinux-797805d81baa814f76cf7bdab35f86408a79d707.tar.xz
linux-797805d81baa814f76cf7bdab35f86408a79d707.zip
ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
"nt_len - CIFS_ENCPWD_SIZE" is passed directly from ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative number (or large unsigned value) used for a subsequent memcpy in ksmbd_auth_ntlvm2 and can cause a panic. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: William Liu <will@willsroot.io> Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/ksmbd/auth.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c
index 2a39ffb8423b..6e61b5bc7d86 100644
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
dn_len = le16_to_cpu(authblob->DomainName.Length);
- if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
+ if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
+ nt_len < CIFS_ENCPWD_SIZE)
return -EINVAL;
/* TODO : use domain name that imported from configuration file */