summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorPaulo Alcantara <pc@cjr.nz>2022-10-06 18:04:05 +0200
committerSteve French <stfrench@microsoft.com>2022-10-13 16:36:39 +0200
commit9ee2afe5207b63b20426ee081f486d831bae871d (patch)
tree026ea3477fbfa06af3f8136bdb7aecc1f21dfed4 /fs
parentcifs: fix uninitialised var in smb2_compound_op() (diff)
downloadlinux-9ee2afe5207b63b20426ee081f486d831bae871d.tar.xz
linux-9ee2afe5207b63b20426ee081f486d831bae871d.zip
cifs: prevent copying past input buffer boundaries
Prevent copying past @data buffer in smb2_validate_and_copy_iov() as the output buffer in @iov might be potentially bigger and thus copying more bytes than requested in @minbufsize. Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/cifs/smb2pdu.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index b3c4d2e54eaa..a3b77df2848c 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3485,7 +3485,7 @@ smb2_validate_and_copy_iov(unsigned int offset, unsigned int buffer_length,
if (rc)
return rc;
- memcpy(data, begin_of_buf, buffer_length);
+ memcpy(data, begin_of_buf, minbufsize);
return 0;
}
@@ -3609,7 +3609,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
le32_to_cpu(rsp->OutputBufferLength),
- &rsp_iov, min_len, *data);
+ &rsp_iov, dlen ? *dlen : min_len, *data);
if (rc && allocated) {
kfree(*data);
*data = NULL;