Skip to content

Commit 9dfce0c

Browse files
William Liungboonkhai
William Liu
authored and
ngboonkhai
committed
ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
"nt_len - CIFS_ENCPWD_SIZE" is passed directly from ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative number (or large unsigned value) used for a subsequent memcpy in ksmbd_auth_ntlvm2 and can cause a panic. Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") Cc: [email protected] Signed-off-by: William Liu <[email protected]> Signed-off-by: Hrvoje Mišetić <[email protected]> Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent 6aae4ae commit 9dfce0c

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

Diff for: fs/ksmbd/auth.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
322322
dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
323323
dn_len = le16_to_cpu(authblob->DomainName.Length);
324324

325-
if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
325+
if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
326+
nt_len < CIFS_ENCPWD_SIZE)
326327
return -EINVAL;
327328

328329
/* TODO : use domain name that imported from configuration file */

0 commit comments

Comments
 (0)