Commit eeb827f2 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

cifs: add validation check for the fields in smb_aces 



cifs.ko is missing validation check when accessing smb_aces.
This patch add validation check for the fields in smb_aces.

Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 1821e90b

fs/smb/client/cifsacl.c

+16 −1
Original line number Diff line number Diff line
@@ -811,7 +811,23 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, 
			return;



		for (i = 0; i < num_aces; ++i) {

			if (end_of_acl - acl_base < acl_size)

				break;



			ppace[i] = (struct smb_ace *) (acl_base + acl_size);

			acl_base = (char *)ppace[i];

			acl_size = offsetof(struct smb_ace, sid) +

				offsetof(struct smb_sid, sub_auth);



			if (end_of_acl - acl_base < acl_size ||

			    ppace[i]->sid.num_subauth == 0 ||

			    ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||

			    (end_of_acl - acl_base <

			     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||

			    (le16_to_cpu(ppace[i]->size) <

			     acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))

				break;



#ifdef CONFIG_CIFS_DEBUG2

			dump_ace(ppace[i], end_of_acl);

#endif
@@ -855,7 +871,6 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, 
				(void *)ppace[i],

				sizeof(struct smb_ace)); */



			acl_base = (char *)ppace[i];

			acl_size = le16_to_cpu(ppace[i]->size);

		}