On Wed, Jan 03, 2024 at 09:29:16AM +0900, Namjae Jeon wrote:
From: Namjae Jeon linkinjeon@kernel.org
[ Upstream commit d10c77873ba1e9e6b91905018e29e196fd5f863d ]
If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, ksmbd_check_message doesn't validate request buffer it correctly. So slab-out-of-bounds warning from calling smb_strndup_from_utf16() in smb2_open() could happen. If ->NameLength is non-zero, Set the larger of the two sums (Name and CreateContext size) as the offset and length of the data area.
Reported-by: Yang Chaoming lometsj@live.com Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com
fs/ksmbd/smb2misc.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
Now queued up, thanks.
greg k-h