ksmbd: Use unsafe_memcpy() for ntlm_negotiate

rsp buffer is allocated larger than spnego_blob from
smb2_allocate_rsp_buf().

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 2df1354288e68a2c5a2faae0eecb164c67a6a0d3..3f4c56a10a86f8d16744cee823c9338532a7ce28 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1370,7 +1370,8 @@ static int ntlm_negotiate(struct ksmbd_work *work,
        }
 
        sz = le16_to_cpu(rsp->SecurityBufferOffset);
-       memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);
+       unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len,
+                       /* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
        rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
 
 out:
@@ -1453,7 +1454,9 @@ static int ntlm_authenticate(struct ksmbd_work *work,
                        return -ENOMEM;
 
                sz = le16_to_cpu(rsp->SecurityBufferOffset);
-               memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len);
+               unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob,
+                               spnego_blob_len,
+                               /* alloc is larger than blob, see smb2_allocate_rsp_buf() */);
                rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len);
                kfree(spnego_blob);
        }