From: Marios Makassikis mmakassikis@freebox.fr
mainline inclusion from mainline-5.15-rc1 commit e7735c854880084a6d97e60465f19daa42842eff category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA
Reference: https://git.kernel.org/torvalds/linux/c/e7735c854880
-------------------------------
When processing a SMB2 QUERY_DIRECTORY request, smb2_populate_readdir_entry() is called first to fill the dot/dotdot entries. This moves the d_info->wptr pointer but out_buf_len remains unchanged. As a result, reserve_populate_dentry() may end up writing past the end of the buffer since the bounds checking is done on invalid values.
Signed-off-by: Marios Makassikis mmakassikis@freebox.fr Signed-off-by: Namjae Jeon namjae.jeon@samsung.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- fs/cifsd/smb2pdu.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index fec385318ff3..54df9a30bd23 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -3333,6 +3333,7 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
d_info->last_entry_offset = d_info->data_count; d_info->data_count += next_entry_offset; + d_info->out_buf_len -= next_entry_offset; d_info->wptr += next_entry_offset; kfree(conv_name);