[PATCH 5.15 869/917] ksmbd: Fix buffer length check in fsctl_validate_negotiate_info()

From: Greg Kroah-Hartman
Date: Mon Nov 15 2021 - 19:44:15 EST


From: Marios Makassikis <mmakassikis@xxxxxxxxxx>

commit 78f1688a64cca77758ceb9b183088cf0054bfc82 upstream.

The validate_negotiate_info_req struct definition includes an extra
field to access the data coming after the header. This causes the check
in fsctl_validate_negotiate_info() to count the first element of the
array twice. This in turn makes some valid requests fail, depending on
whether they include padding or not.

Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl")
Cc: stable@xxxxxxxxxxxxxxx # v5.15
Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Acked-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
Signed-off-by: Marios Makassikis <mmakassikis@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ksmbd/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7319,7 +7319,7 @@ static int fsctl_validate_negotiate_info
int ret = 0;
int dialect;

- if (in_buf_len < sizeof(struct validate_negotiate_info_req) +
+ if (in_buf_len < offsetof(struct validate_negotiate_info_req, Dialects) +
le16_to_cpu(neg_req->DialectCount) * sizeof(__le16))
return -EINVAL;