From: Dan Carpenter dan.carpenter@linaro.org
mainline inclusion from mainline-v6.8-rc4 commit cffe487026be13eaf37ea28b783d9638ab147204 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJRD CVE: CVE-2024-26828
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.
Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries") Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Reviewed-by: Shyam Prasad N sprasad@microsoft.com Signed-off-by: Steve French stfrench@microsoft.com
Conflict: fs/cifs/smb2ops.c
Signed-off-by: Long Li leo.lilong@huawei.com --- fs/cifs/smb2ops.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index eba4bdfff08a..58d9554e74ce 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -351,7 +351,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
bytes_left = buf_len; p = buf; - while (bytes_left >= sizeof(*p)) { + while (bytes_left >= (ssize_t)sizeof(*p)) { nb_iface++; next = le32_to_cpu(p->Next); if (!next) { @@ -385,7 +385,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, info = *iface_list; bytes_left = buf_len; p = buf; - while (bytes_left >= sizeof(*p)) { + while (bytes_left >= (ssize_t)sizeof(*p)) { info->speed = le64_to_cpu(p->LinkSpeed); info->rdma_capable = le32_to_cpu(p->Capability & RDMA_CAPABLE); info->rss_capable = le32_to_cpu(p->Capability & RSS_CAPABLE);