diff options
author | Ross Lagerwall <ross.lagerwall@citrix.com> | 2019-01-08 18:30:57 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-01-16 22:04:31 +0100 |
commit | 2a71a47e03ffa7aa68893406f8134977cb164b59 (patch) | |
tree | cdc9beb5f2bca54000d96fa2b2120cbb9e36844e /fs/cifs | |
parent | 7dcc5b36ea7f5f5d15907e439befa14cecffc9f1 (diff) | |
download | linux-stable-2a71a47e03ffa7aa68893406f8134977cb164b59.tar.gz linux-stable-2a71a47e03ffa7aa68893406f8134977cb164b59.tar.bz2 linux-stable-2a71a47e03ffa7aa68893406f8134977cb164b59.zip |
cifs: Fix potential OOB access of lock element array
commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream.
If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/cifs')
-rw-r--r-- | fs/cifs/file.c | 8 | ||||
-rw-r--r-- | fs/cifs/smb2file.c | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/fs/cifs/file.c b/fs/cifs/file.c index 8d41ca7bfcf1..7b637fc27990 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -1120,10 +1120,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) /* * Accessing maxBuf is racy with cifs_reconnect - need to store value - * and check it for zero before using. + * and check it before using. */ max_buf = tcon->ses->server->maxBuf; - if (!max_buf) { + if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) { free_xid(xid); return -EINVAL; } @@ -1460,10 +1460,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, /* * Accessing maxBuf is racy with cifs_reconnect - need to store value - * and check it for zero before using. + * and check it before using. */ max_buf = tcon->ses->server->maxBuf; - if (!max_buf) + if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) return -EINVAL; max_num = (max_buf - sizeof(struct smb_hdr)) / diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c index 4ed10dd086e6..2fc3d31967ee 100644 --- a/fs/cifs/smb2file.c +++ b/fs/cifs/smb2file.c @@ -122,10 +122,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, /* * Accessing maxBuf is racy with cifs_reconnect - need to store value - * and check it for zero before using. + * and check it before using. */ max_buf = tcon->ses->server->maxBuf; - if (!max_buf) + if (max_buf < sizeof(struct smb2_lock_element)) return -EINVAL; max_num = max_buf / sizeof(struct smb2_lock_element); |