From: Dan Carpenter Date: Mon, 10 Sep 2018 11:12:07 +0000 (+0300) Subject: cifs: integer overflow in in SMB2_ioctl() X-Git-Tag: v4.18.10~95 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f63dbd23e8a7d1d342c6dbe7033039326da2a5ed;p=users%2Fdwmw2%2Flinux.git cifs: integer overflow in in SMB2_ioctl() commit 2d204ee9d671327915260071c19350d84344e096 upstream. The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function") Signed-off-by: Dan Carpenter Signed-off-by: Steve French Reviewed-by: Aurelien Aptel CC: Stable Signed-off-by: Greg Kroah-Hartman --- diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 188e63ff54454..29cce842ed04d 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2418,14 +2418,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, /* We check for obvious errors in the output buffer length and offset */ if (*plen == 0) goto ioctl_exit; /* server returned no data */ - else if (*plen > 0xFF00) { + else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) { cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen); *plen = 0; rc = -EIO; goto ioctl_exit; } - if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) { + if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) { cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen, le32_to_cpu(rsp->OutputOffset)); *plen = 0;