cifs: prevent copying past input buffer boundaries

commit 9ee2afe5207b63b20426ee081f486d831bae871d upstream. Prevent copying past @data buffer in smb2_validate_and_copy_iov() as the output buffer in @iov might be potentially bigger and thus copying more bytes than requested in @minbufsize. Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com> Cc: Georg Müller <georgmueller@gmx.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Paulo Alcantara <pc@cjr.nz> 2022-10-06 13:04:05 -0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-07 11:16:07 +0100
commit: 7ceb25df4900183479deacd3ccf7add41b2b836a (patch)
tree: e751f2edea1c43978132f64e39e859bfcf03d284
parent: dc11755b4e61562602dc9b9745dc585533d54d72 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index aa0245268d40..6a1227967197 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3481,7 +3481,7 @@ smb2_validate_and_copy_iov(unsigned int offset, unsigned int buffer_length,
 	if (rc)
 		return rc;
 
-	memcpy(data, begin_of_buf, buffer_length);
+	memcpy(data, begin_of_buf, minbufsize);
 
 	return 0;
 }
@@ -3605,7 +3605,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
 
 	rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset),
 					le32_to_cpu(rsp->OutputBufferLength),
-					&rsp_iov, min_len, *data);
+					&rsp_iov, dlen ? *dlen : min_len, *data);
 	if (rc && allocated) {
 		kfree(*data);
 		*data = NULL;
author	Paulo Alcantara <pc@cjr.nz>	2022-10-06 13:04:05 -0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-01-07 11:16:07 +0100
commit	7ceb25df4900183479deacd3ccf7add41b2b836a (patch)
tree	e751f2edea1c43978132f64e39e859bfcf03d284
parent	dc11755b4e61562602dc9b9745dc585533d54d72 (diff)