cifs: integer overflow in in SMB2_ioctl()

commit 2d204ee9d671327915260071c19350d84344e096 upstream The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Steve French <stfrench@microsoft.com> Reviewed-by: Aurelien Aptel <aaptel@suse.com> CC: Stable <stable@vger.kernel.org> Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2018-09-10 14:12:07 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-29 15:39:08 +0300
commit: 3845c73607ae8de8c7b60d701cdecdc5505c821d (patch)
tree: 688f084b07356b2199a2ae3f7e64cc79836a78ab /fs
parent: 0d9b51366d2da5dc5537c1c6e856cf4c0d08de0e (diff)
download: linux-3845c73607ae8de8c7b60d701cdecdc5505c821d.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 69309538ffb8..1581e8668b09 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2020,14 +2020,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	/* We check for obvious errors in the output buffer length and offset */
 	if (*plen == 0)
 		goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
 		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
 		*plen = 0;
 		rc = -EIO;
 		goto ioctl_exit;
 	}
 
-	if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
 		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
 			le32_to_cpu(rsp->OutputOffset));
 		*plen = 0;
author	Dan Carpenter <dan.carpenter@oracle.com>	2018-09-10 14:12:07 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-12-29 15:39:08 +0300
commit	3845c73607ae8de8c7b60d701cdecdc5505c821d (patch)
tree	688f084b07356b2199a2ae3f7e64cc79836a78ab /fs
parent	0d9b51366d2da5dc5537c1c6e856cf4c0d08de0e (diff)
download	linux-3845c73607ae8de8c7b60d701cdecdc5505c821d.tar.xz