Commit dfd046d0 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: Use unsafe_memcpy() for ntlm_negotiate 



rsp buffer is allocated larger than spnego_blob from
smb2_allocate_rsp_buf().

Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 47ac09b9

fs/smb/server/smb2pdu.c

+5 −2
Original line number Diff line number Diff line
@@ -1370,7 +1370,8 @@ static int ntlm_negotiate(struct ksmbd_work *work, 
	}



	sz = le16_to_cpu(rsp->SecurityBufferOffset);

	memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);

	unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len,

			/* alloc is larger than blob, see smb2_allocate_rsp_buf() */);

	rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);



out:
@@ -1453,7 +1454,9 @@ static int ntlm_authenticate(struct ksmbd_work *work, 
			return -ENOMEM;



		sz = le16_to_cpu(rsp->SecurityBufferOffset);

		memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);

		unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob,

				spnego_blob_len,

				/* alloc is larger than blob, see smb2_allocate_rsp_buf() */);

		rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);

		kfree(spnego_blob);

	}