diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2025-02-12 03:32:11 +0300 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2025-03-03 07:50:54 +0300 |
| commit | 1b8b67f3c5e5169535e26efedd3e422172e2db64 (patch) | |
| tree | a0d75d0e83ec1edd0c9dc7d857c8fa93260889c4 | |
| parent | 62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d (diff) | |
| download | linux-1b8b67f3c5e5169535e26efedd3e422172e2db64.tar.xz | |
ksmbd: fix incorrect validation for num_aces field of smb_acl
parse_dcal() validate num_aces to allocate posix_ace_state_array.
if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in request buffer
size. Use this to check invalid num_aces.
Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
| -rw-r--r-- | fs/smb/server/smbacl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c index 561f80d3f953..49b128698670 100644 --- a/fs/smb/server/smbacl.c +++ b/fs/smb/server/smbacl.c @@ -398,7 +398,9 @@ static void parse_dacl(struct mnt_idmap *idmap, if (num_aces <= 0) return; - if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) / + (offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) return; ret = init_acl_state(&acl_state, num_aces); @@ -432,6 +434,7 @@ static void parse_dacl(struct mnt_idmap *idmap, offsetof(struct smb_sid, sub_auth); if (end_of_acl - acl_base < acl_size || + ppace[i]->sid.num_subauth == 0 || ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || (end_of_acl - acl_base < acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || |