Commit 1b8b67f3 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: fix incorrect validation for num_aces field of smb_acl 



parse_dcal() validate num_aces to allocate posix_ace_state_array.

if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))

It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in request buffer
size. Use this to check invalid num_aces.

Reported-by: default avatarIgor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: default avatarIgor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 62e7dd0a

fs/smb/server/smbacl.c

+4 −1
Original line number Diff line number Diff line
@@ -398,7 +398,9 @@ static void parse_dacl(struct mnt_idmap *idmap, 
	if (num_aces <= 0)

		return;



	if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))

	if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /

			(offsetof(struct smb_ace, sid) +

			 offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))

		return;



	ret = init_acl_state(&acl_state, num_aces);
@@ -432,6 +434,7 @@ static void parse_dacl(struct mnt_idmap *idmap, 
			offsetof(struct smb_sid, sub_auth);



		if (end_of_acl - acl_base < acl_size ||

		    ppace[i]->sid.num_subauth == 0 ||

		    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||

		    (end_of_acl - acl_base <

		     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||