[PATCH] cifs: don't send invalid setxattr requests

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] cifs: don't send invalid setxattr requests

Samba - samba-technical mailing list
There is a static checker warning here because we're taking a "size"
from the user which is in the 1-XATTR_SIZE_MAX range and we're assuming
it's large enough to hold a sizeof(struct cifs_ntsd).  This doesn't
cause a buffer overflow or anything, we just end up sending an invalid
sized command to the server.  The server checks for that in
CIFSSMBGetCIFSACL() and rejects it.

Signed-off-by: Dan Carpenter <[hidden email]>
---
Not tested.  Please review this one carefully.

diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
index de50e749ff05..70bdce5add24 100644
--- a/fs/cifs/xattr.c
+++ b/fs/cifs/xattr.c
@@ -93,6 +93,10 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
 
  if (!value)
  goto out;
+ if (size < sizeof(struct cifs_ntsd)) {
+ rc = -EINVAL;
+ goto out;
+ }
  pacl = kmalloc(size, GFP_KERNEL);
  if (!pacl) {
  rc = -ENOMEM;

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] cifs: don't send invalid setxattr requests

Samba - samba-technical mailing list
2017-08-10 5:21 GMT-07:00 Dan Carpenter <[hidden email]>:

> There is a static checker warning here because we're taking a "size"
> from the user which is in the 1-XATTR_SIZE_MAX range and we're assuming
> it's large enough to hold a sizeof(struct cifs_ntsd).  This doesn't
> cause a buffer overflow or anything, we just end up sending an invalid
> sized command to the server.  The server checks for that in
> CIFSSMBGetCIFSACL() and rejects it.
>
> Signed-off-by: Dan Carpenter <[hidden email]>
> ---
> Not tested.  Please review this one carefully.
>
> diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
> index de50e749ff05..70bdce5add24 100644
> --- a/fs/cifs/xattr.c
> +++ b/fs/cifs/xattr.c
> @@ -93,6 +93,10 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
>
>                 if (!value)
>                         goto out;
> +               if (size < sizeof(struct cifs_ntsd)) {
> +                       rc = -EINVAL;
> +                       goto out;
> +               }
>                 pacl = kmalloc(size, GFP_KERNEL);
>                 if (!pacl) {
>                         rc = -ENOMEM;
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to [hidden email]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Acked-by: Pavel Shilovsky <[hidden email]>

--
Best regards,
Pavel Shilovsky