ksmbd: validate request buffer size in smb2_allocate_rsp_buf()

namjaejeon · namjaejeon · commit 84291479fb36 · 2024-04-20T09:35:36.000+09:00
The response buffer should be allocated in smb2_allocate_rsp_buf
before validating request. But the fields in payload as well as smb2 header
is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
validation to avoid potencial out-of-bounds in request buffer.

Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
diff --git a/smb2pdu.c b/smb2pdu.c
@@ -541,6 +541,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
 	if (cmd == SMB2_QUERY_INFO_HE) {
 		struct smb2_query_info_req *req;
 
+		if (get_rfc1002_len(work->request_buf) <
+		    offsetof(struct smb2_query_info_req, OutputBufferLength))
+			return -EINVAL;
+
 		req = smb2_get_msg(work->request_buf);
 		if ((req->InfoType == SMB2_O_INFO_FILE &&
 		     (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
