ksmbd: validate compound response buffer

Add the check to validate compound response buffer. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Namjae Jeon <linkinjeon@kernel.org> 2021-10-11 19:15:25 +0900
committer: Steve French <stfrench@microsoft.com> 2021-10-13 23:37:19 -0500
commit: dbad63001eac3abeeb2b66ddf71504e8ab128c5c (patch)
tree: 2fd6e5b6bef3eab9eab3820f0e226ae1aedc872e /fs
parent: 9a63b999ae5435d82a5c353c6b1467100f857742 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 7b4689f2df49..89c187aa8db2 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -449,6 +449,12 @@ bool is_chained_smb2_message(struct ksmbd_work *work)
 			return false;
 		}
 
+		if ((u64)get_rfc1002_len(work->response_buf) + MAX_CIFS_SMALL_BUFFER_SIZE >
+		    work->response_sz) {
+			pr_err("next response offset exceeds response buffer size\n");
+			return false;
+		}
+
 		ksmbd_debug(SMB, "got SMB2 chained command\n");
 		init_chained_smb2_rsp(work);
 		return true;
author	Namjae Jeon <linkinjeon@kernel.org>	2021-10-11 19:15:25 +0900
committer	Steve French <stfrench@microsoft.com>	2021-10-13 23:37:19 -0500
commit	dbad63001eac3abeeb2b66ddf71504e8ab128c5c (patch)
tree	2fd6e5b6bef3eab9eab3820f0e226ae1aedc872e /fs
parent	9a63b999ae5435d82a5c353c6b1467100f857742 (diff)