ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob - linux/linux-stable.git

diff options

author	William Liu <will@willsroot.io>	2022-12-30 13:03:15 +0900
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-01-12 12:00:48 +0100
commit	1e7ed525c60d8d51daf2700777071cd0dfb6f807 (patch)
tree	3c202dfee446dd4d794a60f9b8b0202cf2b43a49 /fs/btrfs/disk-io.c
parent	dddaf6a1b0cfe7e068d748ae10ce4a00fba92665 (diff)

ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob

commit 797805d81baa814f76cf7bdab35f86408a79d707 upstream. "nt_len - CIFS_ENCPWD_SIZE" is passed directly from ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative number (or large unsigned value) used for a subsequent memcpy in ksmbd_auth_ntlvm2 and can cause a panic. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: William Liu <will@willsroot.io> Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'fs/btrfs/disk-io.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: