| From b9a74cde94957d82003fb9f7ab4777938ca851cd Mon Sep 17 00:00:00 2001 |
| From: Ross Lagerwall <ross.lagerwall@citrix.com> |
| Date: Tue, 8 Jan 2019 18:30:57 +0000 |
| Subject: cifs: Fix potential OOB access of lock element array |
| |
| From: Ross Lagerwall <ross.lagerwall@citrix.com> |
| |
| commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream. |
| |
| If maxBuf is small but non-zero, it could result in a zero sized lock |
| element array which we would then try and access OOB. |
| |
| Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> |
| Signed-off-by: Steve French <stfrench@microsoft.com> |
| CC: Stable <stable@vger.kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/cifs/file.c | 8 ++++---- |
| fs/cifs/smb2file.c | 4 ++-- |
| 2 files changed, 6 insertions(+), 6 deletions(-) |
| |
| --- a/fs/cifs/file.c |
| +++ b/fs/cifs/file.c |
| @@ -1120,10 +1120,10 @@ cifs_push_mandatory_locks(struct cifsFil |
| |
| /* |
| * Accessing maxBuf is racy with cifs_reconnect - need to store value |
| - * and check it for zero before using. |
| + * and check it before using. |
| */ |
| max_buf = tcon->ses->server->maxBuf; |
| - if (!max_buf) { |
| + if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) { |
| free_xid(xid); |
| return -EINVAL; |
| } |
| @@ -1460,10 +1460,10 @@ cifs_unlock_range(struct cifsFileInfo *c |
| |
| /* |
| * Accessing maxBuf is racy with cifs_reconnect - need to store value |
| - * and check it for zero before using. |
| + * and check it before using. |
| */ |
| max_buf = tcon->ses->server->maxBuf; |
| - if (!max_buf) |
| + if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) |
| return -EINVAL; |
| |
| max_num = (max_buf - sizeof(struct smb_hdr)) / |
| --- a/fs/cifs/smb2file.c |
| +++ b/fs/cifs/smb2file.c |
| @@ -124,10 +124,10 @@ smb2_unlock_range(struct cifsFileInfo *c |
| |
| /* |
| * Accessing maxBuf is racy with cifs_reconnect - need to store value |
| - * and check it for zero before using. |
| + * and check it before using. |
| */ |
| max_buf = tcon->ses->server->maxBuf; |
| - if (!max_buf) |
| + if (max_buf < sizeof(struct smb2_lock_element)) |
| return -EINVAL; |
| |
| max_num = max_buf / sizeof(struct smb2_lock_element); |