cifs: Validate content of WSL reparse point buffers

WSL socket, fifo, char and block devices have empty reparse buffer. Validate the length of the reparse buffer. Signed-off-by: Pali Rohár <pali@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Pali Rohár <pali@kernel.org> 2024-09-21 02:29:33 +0300
committer: Steve French <stfrench@microsoft.com> 2024-11-25 23:50:32 +0300
commit: 1f48660667efb97c3cf70485c7e1977af718b48b (patch)
tree: 3e648ffafcb4270582e74bb16eb858c9383ab160
parent: d3d797e326533794c3f707ce1761da7a8895458c (diff)
download: linux-1f48660667efb97c3cf70485c7e1977af718b48b.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index 732b3b51128b..e81d2d78ddb7 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -719,6 +719,11 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
 	case IO_REPARSE_TAG_LX_FIFO:
 	case IO_REPARSE_TAG_LX_CHR:
 	case IO_REPARSE_TAG_LX_BLK:
+		if (le16_to_cpu(buf->ReparseDataLength) != 0) {
+			cifs_dbg(VFS, "srv returned malformed buffer for reparse point: 0x%08x\n",
+				 le32_to_cpu(buf->ReparseTag));
+			return -EIO;
+		}
 		break;
 	default:
 		cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",
author	Pali Rohár <pali@kernel.org>	2024-09-21 02:29:33 +0300
committer	Steve French <stfrench@microsoft.com>	2024-11-25 23:50:32 +0300
commit	1f48660667efb97c3cf70485c7e1977af718b48b (patch)
tree	3e648ffafcb4270582e74bb16eb858c9383ab160
parent	d3d797e326533794c3f707ce1761da7a8895458c (diff)
download	linux-1f48660667efb97c3cf70485c7e1977af718b48b.tar.xz