Commit bab703ed authored by Norbert Szetei's avatar Norbert Szetei Committed by Steve French
Browse files

ksmbd: add bounds check for create lease context 



Add missing bounds check for create lease context.

Cc: stable@vger.kernel.org
Reported-by: default avatarNorbert Szetei <norbert@doyensec.com>
Tested-by: default avatarNorbert Szetei <norbert@doyensec.com>
Signed-off-by: default avatarNorbert Szetei <norbert@doyensec.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 542027e1

fs/smb/server/oplock.c

+8 −0
Original line number Diff line number Diff line
@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state(void *open_req) 
	if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {

		struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;



		if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <

		    sizeof(struct create_lease_v2) - 4)

			return NULL;



		memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);

		lreq->req_state = lc->lcontext.LeaseState;

		lreq->flags = lc->lcontext.LeaseFlags;
@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state(void *open_req) 
	} else {

		struct create_lease *lc = (struct create_lease *)cc;



		if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <

		    sizeof(struct create_lease))

			return NULL;



		memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);

		lreq->req_state = lc->lcontext.LeaseState;

		lreq->flags = lc->lcontext.LeaseFlags;