Accueil Explorer Aide
S'inscrire Connexion
phyus
/
linux-vybrid_public
8
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

cifs: verify lengths of QueryAllEAs reply

Make sure the lengths in a QUERY_ALL_EAS reply don't make the parser walk
off the end of the SMB.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Jeff Layton il y a 15 ans
Parent
e529614ad0
commit
0cd126b504
1 fichiers modifiés avec 31 ajouts et 18 suppressions
Vue séparée Afficher les stats Diff
  1. 31 18
      fs/cifs/cifssmb.c

+ 31 - 18
fs/cifs/cifssmb.c
Voir le fichier 

@@ -5285,6 +5285,7 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,
 
 	struct fealist *ea_response_data;
 
 	struct fea *temp_fea;
 
 	char *temp_ptr;
 
+	char *end_of_smb;
 
 	__u16 params, byte_count, data_offset;
 
 
 	cFYI(1, ("In Query All EAs path %s", searchName));
 
@@ -5368,22 +5369,47 @@ QAllEAsRetry:
 
 		goto QAllEAsOut;
 
 	}
 
 
+	/* make sure list_len doesn't go past end of SMB */
 
+	end_of_smb = (char *)pByteArea(&pSMBr->hdr) + BCC(&pSMBr->hdr);
 
+	if ((char *)ea_response_data + list_len > end_of_smb) {
 
+		cFYI(1, ("EA list appears to go beyond SMB"));
 
+		rc = -EIO;
 
+		goto QAllEAsOut;
 
+	}
 
+
 
 	/* account for ea list len */
 
 	list_len -= 4;
 
 	temp_fea = ea_response_data->list;
 
 	temp_ptr = (char *)temp_fea;
 
 	while (list_len > 0) {
 
+		__u8 name_len;
 
 		__u16 value_len;
 
+
 
 		list_len -= 4;
 
 		temp_ptr += 4;
 
-		rc += temp_fea->name_len;
 
+		/* make sure we can read name_len and value_len */
 
+		if (list_len < 0) {
 
+			cFYI(1, ("EA entry goes beyond length of list"));
 
+			rc = -EIO;
 
+			goto QAllEAsOut;
 
+		}
 
+
 
+		name_len = temp_fea->name_len;
 
+		value_len = le16_to_cpu(temp_fea->value_len);
 
+		list_len -= name_len + 1 + value_len;
 
+		if (list_len < 0) {
 
+			cFYI(1, ("EA entry goes beyond length of list"));
 
+			rc = -EIO;
 
+			goto QAllEAsOut;
 
+		}
 
+
 
 		/* account for prefix user. and trailing null */
 
-		rc = rc + 5 + 1;
 
+		rc += (5 + 1 + name_len);
 
 		if (rc < (int) buf_size) {
 
 			memcpy(EAData, "user.", 5);
 
 			EAData += 5;
 
-			memcpy(EAData, temp_ptr, temp_fea->name_len);
 
-			EAData += temp_fea->name_len;
 
+			memcpy(EAData, temp_ptr, name_len);
 
+			EAData += name_len;
 
 			/* null terminate name */
 
 			*EAData = 0;
 
 			++EAData;
 
@@ -5394,20 +5420,7 @@ QAllEAsRetry:
 
 			rc = -ERANGE;
 
 			break;
 
 		}
 
-		list_len -= temp_fea->name_len;
 
-		temp_ptr += temp_fea->name_len;
 
-		/* account for trailing null */
 
-		list_len--;
 
-		temp_ptr++;
 
-		value_len = le16_to_cpu(temp_fea->value_len);
 
-		list_len -= value_len;
 
-		temp_ptr += value_len;
 
-		/* BB check that temp_ptr is still
 
-		      within the SMB BB*/
 
-
 
-		/* no trailing null to account for
 
-		   in value len */
 
-		/* go on to next EA */
 
+		temp_ptr += name_len + 1 + value_len;
 
 		temp_fea = (struct fea *)temp_ptr;
 
 	}