git: dd66ba430cb9 - stable/12 - netsmb: Add bounds checking to smb_t2_placedata
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Sep 2023 21:57:05 UTC
The branch stable/12 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=dd66ba430cb9d4c53fdd583fa2f20521552d58ff
commit dd66ba430cb9d4c53fdd583fa2f20521552d58ff
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2023-08-04 23:42:41 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-09-06 20:03:18 +0000
netsmb: Add bounds checking to smb_t2_placedata
Verify that the requested region of the mbuf chain is not beyond the
end of the chain before trimming it from the end. If it is out of
bounds, fail with an error (EPROTO).
While here, properly handle the case that the amount of data at the
end of the chain might span more than one mbuf by using m_adj to drop
the extra bytes rather than assuming m_len of the last mbuf can be
adjusted directly.
PR: 258504
Reported by: Robert Morris <rtm@lcs.mit.edu>
Co-authored-by: Robert Morris <rtm@lcs.mit.edu>
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41229
(cherry picked from commit aca3d65fedffbbe71399a88d33ea8ecf550177eb)
---
sys/netsmb/smb_rq.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c
index 5a2ec0e7214a..c55dd1d91891 100644
--- a/sys/netsmb/smb_rq.c
+++ b/sys/netsmb/smb_rq.c
@@ -426,12 +426,18 @@ static int
smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count,
struct mdchain *mdp)
{
- struct mbuf *m, *m0;
+ struct mbuf *m0;
int len;
+ len = m_length(mtop, NULL);
+ if (offset + count > len)
+ return (EPROTO);
+
m0 = m_split(mtop, offset, M_WAITOK);
- len = m_length(m0, &m);
- m->m_len -= len - count;
+ if (len != offset + count) {
+ len -= offset + count;
+ m_adj(m0, -len);
+ }
if (mdp->md_top == NULL) {
md_initm(mdp, m0);
} else