[PATCH OLK-5.10 15/18] ksmbd: allocate one more byte for implied bcc[0]

10 Jun 2023

From: Chih-Yen Chang cc85nod@gmail.com
mainline inclusion
from mainline-v6.4-rc1
commit 443d61d1fa9faa60ef925513d83742902390100f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FNG
CVE: CVE-2023-2593
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
ksmbd_smb2_check_message allows client to return one byte more, so we
need to allocate additional memory in ksmbd_conn_handler_loop to avoid
out-of-bound access.
Cc: stable@vger.kernel.org
Signed-off-by: Chih-Yen Chang cc85nod@gmail.com
Acked-by: Namjae Jeon linkinjeon@kernel.org
Signed-off-by: Steve French stfrench@microsoft.com
Signed-off-by: ZhaoLong Wang wangzhaolong1@huawei.com
Conflicts:
    fs/ksmbd/connection.c
---
 fs/ksmbd/connection.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
index 79742d871dbe..1ad330d1b337 100644
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -350,7 +350,8 @@ int ksmbd_conn_handler_loop(void *p)
    	}
/* 4 for rfc1002 length field */
-		size = pdu_size + 4;
+		/* 1 for implied bcc[0] */
+		size = pdu_size + 4 + 1;
    	conn->request_buf = kvmalloc(size, GFP_KERNEL);
    	if (!conn->request_buf)
    		continue;
-- 
2.31.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-5.10 15/18] ksmbd: allocate one more byte for implied bcc[0]