From: Chih-Yen Chang cc85nod@gmail.com
mainline inclusion from mainline-v6.4-rc3 commit 443d61d1fa9faa60ef925513d83742902390100f category: bugfix bugzilla: 189030, https://gitee.com/openeuler/kernel/issues/I7LU2I CVE: CVE-2023-38429
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id...
----------------------------------------
ksmbd_smb2_check_message allows client to return one byte more, so we need to allocate additional memory in ksmbd_conn_handler_loop to avoid out-of-bound access.
Cc: stable@vger.kernel.org Signed-off-by: Chih-Yen Chang cc85nod@gmail.com Acked-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com
Conflict: fs/ksmbd/connection.c
Signed-off-by: Li Nan linan122@huawei.com --- fs/ksmbd/connection.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index 8e15ec9e8f43..9c4ca0bbd71e 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -309,7 +309,8 @@ int ksmbd_conn_handler_loop(void *p) }
/* 4 for rfc1002 length field */ - size = pdu_size + 4; + /* 1 for implied bcc[0] */ + size = pdu_size + 4 + 1; conn->request_buf = kvmalloc(size, GFP_KERNEL); if (!conn->request_buf) continue;
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/1551 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Z...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/1551 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Z...