Commit aa2a739a authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

cifs: fix incorrect validation for num_aces field of smb_acl 



parse_dcal() validate num_aces to allocate ace array.

f (num_aces > ULONG_MAX / sizeof(struct smb_ace *))

It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in response buffer
size. Use this to check invalid num_aces.

Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 1b8b67f3

fs/smb/client/cifsacl.c

+6 −2
Original line number Diff line number Diff line
@@ -778,7 +778,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, 
	}



	/* validate that we do not go past end of acl */

	if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {

	if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) ||

	    end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {

		cifs_dbg(VFS, "ACL too small to parse DACL\n");

		return;

	}
@@ -799,8 +800,11 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, 
	if (num_aces > 0) {

		umode_t denied_mode = 0;



		if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))

		if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /

				(offsetof(struct smb_ace, sid) +

				 offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))

			return;



		ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *),

				      GFP_KERNEL);

		if (!ppace)