diff options
author | Paulo Alcantara <pc@cjr.nz> | 2022-10-06 18:04:05 +0200 |
---|---|---|
committer | Steve French <stfrench@microsoft.com> | 2022-10-13 16:36:39 +0200 |
commit | 9ee2afe5207b63b20426ee081f486d831bae871d (patch) | |
tree | 026ea3477fbfa06af3f8136bdb7aecc1f21dfed4 /fs | |
parent | cifs: fix uninitialised var in smb2_compound_op() (diff) | |
download | linux-9ee2afe5207b63b20426ee081f486d831bae871d.tar.xz linux-9ee2afe5207b63b20426ee081f486d831bae871d.zip |
cifs: prevent copying past input buffer boundaries
Prevent copying past @data buffer in smb2_validate_and_copy_iov() as
the output buffer in @iov might be potentially bigger and thus copying
more bytes than requested in @minbufsize.
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/smb2pdu.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index b3c4d2e54eaa..a3b77df2848c 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -3485,7 +3485,7 @@ smb2_validate_and_copy_iov(unsigned int offset, unsigned int buffer_length, if (rc) return rc; - memcpy(data, begin_of_buf, buffer_length); + memcpy(data, begin_of_buf, minbufsize); return 0; } @@ -3609,7 +3609,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon, rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset), le32_to_cpu(rsp->OutputBufferLength), - &rsp_iov, min_len, *data); + &rsp_iov, dlen ? *dlen : min_len, *data); if (rc && allocated) { kfree(*data); *data = NULL; |