cifs: Validate content of WSL reparse point buffers

WSL socket, fifo, char and block devices have empty reparse buffer.
Validate the length of the reparse buffer.

Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index 732b3b51128bd709c1559eb2be009ead4a83ffe2..e81d2d78ddb7c0637eda1c3de5e85b300f078925 100644 (file)
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -719,6 +719,11 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
        case IO_REPARSE_TAG_LX_FIFO:
        case IO_REPARSE_TAG_LX_CHR:
        case IO_REPARSE_TAG_LX_BLK:
+               if (le16_to_cpu(buf->ReparseDataLength) != 0) {
+                       cifs_dbg(VFS, "srv returned malformed buffer for reparse point: 0x%08x\n",
+                                le32_to_cpu(buf->ReparseTag));
+                       return -EIO;
+               }
                break;
        default:
                cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",