cifs: Fix potential OOB access of lock element array
authorRoss Lagerwall <ross.lagerwall@citrix.com>
Tue, 8 Jan 2019 18:30:57 +0000 (18:30 +0000)
committerSteve French <stfrench@microsoft.com>
Fri, 11 Jan 2019 13:14:40 +0000 (07:14 -0600)
If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
fs/cifs/file.c
fs/cifs/smb2file.c

index 673f948e4760c89be4fcdf83dbb0d77c7d081544..5b6f8392d9db415501ba4a3ec68480ffdc571acb 100644 (file)
@@ -1132,10 +1132,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
 
        /*
         * Accessing maxBuf is racy with cifs_reconnect - need to store value
-        * and check it for zero before using.
+        * and check it before using.
         */
        max_buf = tcon->ses->server->maxBuf;
-       if (!max_buf) {
+       if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
                free_xid(xid);
                return -EINVAL;
        }
@@ -1476,10 +1476,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 
        /*
         * Accessing maxBuf is racy with cifs_reconnect - need to store value
-        * and check it for zero before using.
+        * and check it before using.
         */
        max_buf = tcon->ses->server->maxBuf;
-       if (!max_buf)
+       if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
                return -EINVAL;
 
        BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
index eff01ed6db0a6c56a80d9f370bc4d4b77a260f5c..b204e84b87fb52d938dc138379f7877ffb2ba74a 100644 (file)
@@ -122,10 +122,10 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 
        /*
         * Accessing maxBuf is racy with cifs_reconnect - need to store value
-        * and check it for zero before using.
+        * and check it before using.
         */
        max_buf = tcon->ses->server->maxBuf;
-       if (!max_buf)
+       if (max_buf < sizeof(struct smb2_lock_element))
                return -EINVAL;
 
        BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);