Commit 6447b0e3 authored by Eugene Korenevsky's avatar Eugene Korenevsky Committed by Steve French
Browse files

cifs: parse_dfs_referrals: prevent oob on malformed input 



Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS

- reply smaller than sizeof(struct get_dfs_referral_rsp)
- reply with number of referrals smaller than NumberOfReferrals in the
header

Processing of such replies will cause oob.

Return -EINVAL error on such replies to prevent oob-s.

Signed-off-by: default avatarEugene Korenevsky <ekorenevsky@aliyun.com>
Cc: stable@vger.kernel.org
Suggested-by: default avatarNathan Chancellor <nathan@kernel.org>
Acked-by: default avatarPaulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent c2b77f42

fs/smb/client/misc.c

+17 −0
Original line number Diff line number Diff line
@@ -916,6 +916,14 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size, 
	char *data_end;

	struct dfs_referral_level_3 *ref;



	if (rsp_size < sizeof(*rsp)) {

		cifs_dbg(VFS | ONCE,

			 "%s: header is malformed (size is %u, must be %zu)\n",

			 __func__, rsp_size, sizeof(*rsp));

		rc = -EINVAL;

		goto parse_DFS_referrals_exit;

	}



	*num_of_nodes = le16_to_cpu(rsp->NumberOfReferrals);



	if (*num_of_nodes < 1) {
@@ -925,6 +933,15 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size, 
		goto parse_DFS_referrals_exit;

	}



	if (sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3) > rsp_size) {

		cifs_dbg(VFS | ONCE,

			 "%s: malformed buffer (size is %u, must be at least %zu)\n",

			 __func__, rsp_size,

			 sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3));

		rc = -EINVAL;

		goto parse_DFS_referrals_exit;

	}



	ref = (struct dfs_referral_level_3 *) &(rsp->referrals);

	if (ref->VersionNumber != cpu_to_le16(3)) {

		cifs_dbg(VFS, "Referrals of V%d version are not supported, should be V3\n",