[PATCH 4.18 136/235] cifs: integer overflow in in SMB2_ioctl()

24 Sep 2018

4.18-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit 2d204ee9d671327915260071c19350d84344e096 upstream.
The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.
Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Signed-off-by: Steve French stfrench@microsoft.com
Reviewed-by: Aurelien Aptel aaptel@suse.com
CC: Stable stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 fs/cifs/smb2pdu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2418,14 +2418,14 @@ SMB2_ioctl(const unsigned int xid, struc
    /* We check for obvious errors in the output buffer length and offset */
    if (*plen == 0)
    	goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
    	cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
    	*plen = 0;
    	rc = -EIO;
    	goto ioctl_exit;
    }
-	if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
    	cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
    		le32_to_cpu(rsp->OutputOffset));
    	*plen = 0;

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 4.18 136/235] cifs: integer overflow in in SMB2_ioctl()