Commit 816a6e29 authored by Ross Lagerwall's avatar Ross Lagerwall Committed by Stefan Bader

cifs: Fix potential OOB access of lock element array

BugLink: https://bugs.launchpad.net/bugs/1818237

commit b9a74cde upstream.

If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.
Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent fbd9c528
...@@ -1073,10 +1073,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) ...@@ -1073,10 +1073,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
/* /*
* Accessing maxBuf is racy with cifs_reconnect - need to store value * Accessing maxBuf is racy with cifs_reconnect - need to store value
* and check it for zero before using. * and check it before using.
*/ */
max_buf = tcon->ses->server->maxBuf; max_buf = tcon->ses->server->maxBuf;
if (!max_buf) { if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
free_xid(xid); free_xid(xid);
return -EINVAL; return -EINVAL;
} }
...@@ -1404,10 +1404,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, ...@@ -1404,10 +1404,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
/* /*
* Accessing maxBuf is racy with cifs_reconnect - need to store value * Accessing maxBuf is racy with cifs_reconnect - need to store value
* and check it for zero before using. * and check it before using.
*/ */
max_buf = tcon->ses->server->maxBuf; max_buf = tcon->ses->server->maxBuf;
if (!max_buf) if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
return -EINVAL; return -EINVAL;
max_num = (max_buf - sizeof(struct smb_hdr)) / max_num = (max_buf - sizeof(struct smb_hdr)) /
......
...@@ -123,10 +123,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, ...@@ -123,10 +123,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
/* /*
* Accessing maxBuf is racy with cifs_reconnect - need to store value * Accessing maxBuf is racy with cifs_reconnect - need to store value
* and check it for zero before using. * and check it before using.
*/ */
max_buf = tcon->ses->server->maxBuf; max_buf = tcon->ses->server->maxBuf;
if (!max_buf) if (max_buf < sizeof(struct smb2_lock_element))
return -EINVAL; return -EINVAL;
max_num = max_buf / sizeof(struct smb2_lock_element); max_num = max_buf / sizeof(struct smb2_lock_element);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment