Commit 8ad8aa35 authored by Dan Carpenter's avatar Dan Carpenter Committed by Steve French
Browse files

cifs: prevent integer overflow in nxt_dir_entry() 



The "old_entry + le32_to_cpu(pDirInfo->NextEntryOffset)" can wrap
around so I have added a check for integer overflow.

Reported-by: default avatarDr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
parent 5890184d

fs/cifs/readdir.c

+9 −2
Original line number Diff line number Diff line
@@ -376,8 +376,15 @@ static char *nxt_dir_entry(char *old_entry, char *end_of_smb, int level) 


		new_entry = old_entry + sizeof(FIND_FILE_STANDARD_INFO) +

				pfData->FileNameLength;

	} else

		new_entry = old_entry + le32_to_cpu(pDirInfo->NextEntryOffset);

	} else {

		u32 next_offset = le32_to_cpu(pDirInfo->NextEntryOffset);



		if (old_entry + next_offset < old_entry) {

			cifs_dbg(VFS, "invalid offset %u\n", next_offset);

			return NULL;

		}

		new_entry = old_entry + next_offset;

	}

	cifs_dbg(FYI, "new entry %p old entry %p\n", new_entry, old_entry);

	/* validate that new_entry is not past end of SMB */

	if (new_entry >= end_of_smb) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE