cifs: integer overflow in in SMB2_ioctl()

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: 4a72daf ("SMB2 FSCTL and IOCTL worker function") Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: Steve French <[email protected]> Reviewed-by: Aurelien Aptel <[email protected]> CC: Stable <[email protected]>
josf · Sep 12, 2018 · 2d204ee · 2d204ee
1 parent 56446f2
commit 2d204ee
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
@@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 	/* We check for obvious errors in the output buffer length and offset */
 	if (*plen == 0)
 		goto ioctl_exit; /* server returned no data */
-	else if (*plen > 0xFF00) {
+	else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
 		cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
 		*plen = 0;
 		rc = -EIO;
 		goto ioctl_exit;
 	}
 
-	if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) {
+	if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
 		cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
 			le32_to_cpu(rsp->OutputOffset));
 		*plen = 0;