mirror of
https://github.com/Fishwaldo/linux-bl808.git
synced 2025-03-15 19:45:26 +00:00
ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
"nt_len - CIFS_ENCPWD_SIZE" is passed directly from
ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests
can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative
number (or large unsigned value) used for a subsequent memcpy in
ksmbd_auth_ntlvm2 and can cause a panic.
Fixes: e2f34481b2
("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: William Liu <will@willsroot.io>
Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
cdfb2fef52
commit
797805d81b
1 changed files with 2 additions and 1 deletions
|
@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
|
|||
dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
|
||||
dn_len = le16_to_cpu(authblob->DomainName.Length);
|
||||
|
||||
if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
|
||||
if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
|
||||
nt_len < CIFS_ENCPWD_SIZE)
|
||||
return -EINVAL;
|
||||
|
||||
/* TODO : use domain name that imported from configuration file */
|
||||
|
|
Loading…
Add table
Reference in a new issue