Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats

Files

Commit: c5b4604852c852b09d2b5d0753f5c34058b4f1c3

Blob Blame History Raw

From: Chih-Yen Chang <cc85nod@gmail.com>
Date: Sat, 6 May 2023 00:03:54 +0900
Subject: [PATCH] ksmbd: allocate one more byte for implied bcc[0]
References: bsc#1012628
Patch-mainline: 6.3.4
Git-commit: 443d61d1fa9faa60ef925513d83742902390100f

commit 443d61d1fa9faa60ef925513d83742902390100f upstream.

ksmbd_smb2_check_message allows client to return one byte more, so we
need to allocate additional memory in ksmbd_conn_handler_loop to avoid
out-of-bound access.

Cc: stable@vger.kernel.org
Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ksmbd/connection.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
index 4ed379f9..4882a812 100644
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -351,7 +351,8 @@ int ksmbd_conn_handler_loop(void *p)
 			break;
 
 		/* 4 for rfc1002 length field */
-		size = pdu_size + 4;
+		/* 1 for implied bcc[0] */
+		size = pdu_size + 4 + 1;
 		conn->request_buf = kvmalloc(size, GFP_KERNEL);
 		if (!conn->request_buf)
 			break;
-- 
2.35.3

kernel / kernel-source

Source Code

Files