diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2023-12-20 21:09:47 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2023-12-20 21:09:47 -0800 |
| commit | eee7f5b48e20c585dc8069b3ab8abdcabd0afded (patch) | |
| tree | 64b04aaa8fc7892151f131ade276a478c07d9151 /fs/smb/client/misc.c | |
| parent | 1bf5c8925609425fe0ff7270fe8fb14246c01694 (diff) | |
| parent | 12d1e301bdfd1f2e2f371432dedef7cce8f01c4a (diff) | |
Merge tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fixes from Steve French:
- two multichannel reconnect fixes, one fixing an important refcounting
problem that can lead to umount problems
- atime fix
- five fixes for various potential OOB accesses, including a CVE fix,
and two additional fixes for problems pointed out by Robert Morris's
fuzzing investigation
* tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: do not let cifs_chan_update_iface deallocate channels
cifs: fix a pending undercount of srv_count
fs: cifs: Fix atime update check
smb: client: fix potential OOB in smb2_dump_detail()
smb: client: fix potential OOB in cifs_dump_detail()
smb: client: fix OOB in smbCalcSize()
smb: client: fix OOB in SMB2_query_info_init()
smb: client: fix OOB in cifsd when receiving compounded resps
Diffstat (limited to 'fs/smb/client/misc.c')
| -rw-r--r-- | fs/smb/client/misc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 35b176457bbe..c2137ea3c253 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */ |