Commit aab98e2d authored by Dan Carpenter's avatar Dan Carpenter Committed by Steve French
Browse files

ksmbd: fix integer overflows on 32 bit systems 



On 32bit systems the addition operations in ipc_msg_alloc() can
potentially overflow leading to memory corruption.
Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow.

Fixes: 0626e664 ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent b2d99376

fs/smb/server/transport_ipc.c

+9 −0
Original line number Diff line number Diff line
@@ -627,6 +627,9 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) 
	struct ksmbd_spnego_authen_request *req;

	struct ksmbd_spnego_authen_response *resp;



	if (blob_len > KSMBD_IPC_MAX_PAYLOAD)

		return NULL;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +

			blob_len + 1);

	if (!msg)
@@ -806,6 +809,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle 
	struct ksmbd_rpc_command *req;

	struct ksmbd_rpc_command *resp;



	if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)

		return NULL;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);

	if (!msg)

		return NULL;
@@ -854,6 +860,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle 
	struct ksmbd_rpc_command *req;

	struct ksmbd_rpc_command *resp;



	if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)

		return NULL;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);

	if (!msg)

		return NULL;