ksmbd: fix potencial 32bit overflow from data area check in smb2_write

DataOffset and Length validation can be potencial 32bit overflow.
This patch fix it.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 79b296abe04e4e25e332b696a216940d4524df9c..7b4689f2df499eb60b26e34b2f442e1e60d9e3dd 100644 (file)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -6197,8 +6197,7 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work)
            (offsetof(struct smb2_write_req, Buffer) - 4)) {
                data_buf = (char *)&req->Buffer[0];
        } else {
-               if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) ||
-                   (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) {
+               if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {
                        pr_err("invalid write data offset %u, smb_len %u\n",
                               le16_to_cpu(req->DataOffset),
                               get_rfc1002_len(req));
@@ -6356,8 +6355,7 @@ int smb2_write(struct ksmbd_work *work)
                    (offsetof(struct smb2_write_req, Buffer) - 4)) {
                        data_buf = (char *)&req->Buffer[0];
                } else {
-                       if ((le16_to_cpu(req->DataOffset) > get_rfc1002_len(req)) ||
-                           (le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req))) {
+                       if ((u64)le16_to_cpu(req->DataOffset) + length > get_rfc1002_len(req)) {
                                pr_err("invalid write data offset %u, smb_len %u\n",
                                       le16_to_cpu(req->DataOffset),
                                       get_rfc1002_len(req));