Skip to content

Commit

Permalink
SMB: fix validate negotiate info uninitialised memory use
Browse files Browse the repository at this point in the history 
An undersize validate negotiate info server response causes the client
to use uninitialised memory for struct validate_negotiate_info_rsp
comparisons of Dialect, SecurityMode and/or Capabilities members.

Link: https://bugzilla.samba.org/show_bug.cgi?id=13092
Fixes: 7db0a6e ("SMB3: Work around mount failure when using SMB3 dialect to Macs")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
  • Loading branch information
David Disseldorp authored and Steve French committed Oct 25, 2017
1 parent fe83beb commit a2d9daa
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion fs/cifs/smb2pdu.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -727,7 +727,8 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
rsplen);

/* relax check since Mac returns max bufsize allowed on ioctl */
if (rsplen > CIFSMaxBufSize)
if ((rsplen > CIFSMaxBufSize)
|| (rsplen < sizeof(struct validate_negotiate_info_rsp)))
goto err_rsp_free;
}

Expand Down

0 comments on commit a2d9daa

Please sign in to comment.