mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-19 17:11:03 +00:00
cifs: Fix potential OOB access of lock element array
commit b9a74cde94
upstream.
If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
4092ad400e
commit
5c467ac09d
2 changed files with 6 additions and 6 deletions
|
@ -1120,10 +1120,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
|
|||
|
||||
/*
|
||||
* Accessing maxBuf is racy with cifs_reconnect - need to store value
|
||||
* and check it for zero before using.
|
||||
* and check it before using.
|
||||
*/
|
||||
max_buf = tcon->ses->server->maxBuf;
|
||||
if (!max_buf) {
|
||||
if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
|
||||
free_xid(xid);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
@ -1460,10 +1460,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
|
|||
|
||||
/*
|
||||
* Accessing maxBuf is racy with cifs_reconnect - need to store value
|
||||
* and check it for zero before using.
|
||||
* and check it before using.
|
||||
*/
|
||||
max_buf = tcon->ses->server->maxBuf;
|
||||
if (!max_buf)
|
||||
if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
|
||||
return -EINVAL;
|
||||
|
||||
max_num = (max_buf - sizeof(struct smb_hdr)) /
|
||||
|
|
|
@ -124,10 +124,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
|
|||
|
||||
/*
|
||||
* Accessing maxBuf is racy with cifs_reconnect - need to store value
|
||||
* and check it for zero before using.
|
||||
* and check it before using.
|
||||
*/
|
||||
max_buf = tcon->ses->server->maxBuf;
|
||||
if (!max_buf)
|
||||
if (max_buf < sizeof(struct smb2_lock_element))
|
||||
return -EINVAL;
|
||||
|
||||
max_num = max_buf / sizeof(struct smb2_lock_element);
|
||||
|
|
Loading…
Reference in a new issue