cifs: integer overflow in in SMB2_ioctl() (2d204ee9) · Commits · 戴 / test

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: ("SMB2 FSCTL and IOCTL worker function") Signed-off-by:

Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:

Steve French <stfrench@microsoft.com> Reviewed-by:

Aurelien Aptel <aaptel@suse.com> CC: Stable <stable@vger.kernel.org>

fs/cifs/smb2pdu.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
		/* We check for obvious errors in the output buffer length and offset */
		if (*plen == 0)
		goto ioctl_exit; /* server returned no data */
		else if (*plen > 0xFF00) {
		else if (plen > rsp_iov.iov_len \|\| plen > 0xFF00) {
		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
		*plen = 0;
		rc = -EIO;
		goto ioctl_exit;
		}

		if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
		if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
		le32_to_cpu(rsp->OutputOffset));
		*plen = 0;

Admin message