diff options
Diffstat (limited to 'package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch')
-rw-r--r-- | package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch b/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch new file mode 100644 index 0000000000..198e752106 --- /dev/null +++ b/package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch @@ -0,0 +1,36 @@ +From 8824b7af409f51f1316e92e9887c2fd48c0b26d6 Mon Sep 17 00:00:00 2001 +From: William Liu <will@willsroot.io> +Date: Fri, 30 Dec 2022 09:13:35 +0900 +Subject: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in + ksmbd_decode_ntlmssp_auth_blob +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +"nt_len - CIFS_ENCPWD_SIZE" is passed directly from +ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests +can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative +number (or large unsigned value) used for a subsequent memcpy in +ksmbd_auth_ntlvm2 and can cause a panic. + +Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Signed-off-by: William Liu <will@willsroot.io> +Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +--- + auth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/auth.c ++++ b/auth.c +@@ -583,7 +583,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struc + dn_off = le32_to_cpu(authblob->DomainName.BufferOffset); + dn_len = le16_to_cpu(authblob->DomainName.Length); + +- if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len) ++ if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len || ++ nt_len < CIFS_ENCPWD_SIZE) + return -EINVAL; + + #ifdef CONFIG_SMB_INSECURE_SERVER |