Skip to content

Commit

Permalink
cifs: extra sanity checking for cifs.idmap keys
Browse files Browse the repository at this point in the history 
Now that we aren't so rigid about the length of the key being passed
in, we need to be a bit more rigorous about checking the length of
the actual data against the claimed length (a'la num_subauths field).

Check for the case where userspace sends us a seemingly valid key
with a num_subauths field that goes beyond the end of the array. If
that happens, return -EIO and invalidate the key.

Also change the other places where we check for malformed keys in this
code to invalidate the key as well.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
  • Loading branch information
Jeff Layton authored and Steve French committed Dec 9, 2012
1 parent 41a9f1f commit 2ae0302
Showing 1 changed file with 18 additions and 2 deletions.
20 changes: 18 additions & 2 deletions fs/cifs/cifsacl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,8 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
{
int rc;
struct key *sidkey;
struct cifs_sid *ksid;
unsigned int ksid_size;
char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */
const struct cred *saved_cred;

Expand All @@ -211,14 +213,27 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
rc = -EIO;
cFYI(1, "%s: Downcall contained malformed key "
"(datalen=%hu)", __func__, sidkey->datalen);
goto out_key_put;
goto invalidate_key;
}
cifs_copy_sid(ssid, (struct cifs_sid *)sidkey->payload.data);

ksid = (struct cifs_sid *)sidkey->payload.data;
ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));
if (ksid_size > sidkey->datalen) {
rc = -EIO;
cFYI(1, "%s: Downcall contained malformed key (datalen=%hu, "
"ksid_size=%u)", __func__, sidkey->datalen, ksid_size);
goto invalidate_key;
}
cifs_copy_sid(ssid, ksid);
out_key_put:
key_put(sidkey);
out_revert_creds:
revert_creds(saved_cred);
return rc;

invalidate_key:
key_invalidate(sidkey);
goto out_key_put;
}

static int
Expand Down Expand Up @@ -264,6 +279,7 @@ sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
rc = -EIO;
cFYI(1, "%s: Downcall contained malformed key "
"(datalen=%hu)", __func__, sidkey->datalen);
key_invalidate(sidkey);
goto out_key_put;
}

Expand Down

0 comments on commit 2ae0302

Please sign in to comment.