diff options
| author | Namjae Jeon <namjae.jeon@samsung.com> | 2021-05-31 11:26:43 +0300 |
|---|---|---|
| committer | Namjae Jeon <namjae.jeon@samsung.com> | 2021-06-01 03:26:22 +0300 |
| commit | 2ae1a6cc43027d84e33819ac4376c5e5e11b4152 (patch) | |
| tree | 68d758c65f564dea50368d3c88418059bb5dc97b | |
| parent | fd6de099d7fabc2b86f51dc622453eb279f7cce9 (diff) | |
| download | linux-2ae1a6cc43027d84e33819ac4376c5e5e11b4152.tar.xz | |
cifsd: fix potential read overflow in ksmbd_vfs_stream_read()
If *pos or *pos + count is greater than v_len, It will read beyond
the stream_buf buffer. This patch add the check and cut down count with
size of the buffer.
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
| -rw-r--r-- | fs/cifsd/vfs.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 56b1091473b9..9111b485d611 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -285,9 +285,19 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, if ((int)v_len <= 0) return (int)v_len; + if (v_len <= *pos) { + count = -EINVAL; + goto free_buf; + } + + if (v_len - *pos < count) + count = v_len - *pos; + memcpy(buf, &stream_buf[*pos], count); + +free_buf: kvfree(stream_buf); - return v_len > count ? count : v_len; + return count; } /** |