ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

An offset from client could be a negative value, It could lead
to an out-of-bounds read from the stream_buf.
Note that this issue is coming when setting
'vfs objects = streams_xattr parameter' in ksmbd.conf.

Cc: [email protected] # v5.15+
Reported-by: Jordy Zomer <[email protected]>
Signed-off-by: Jordy Zomer <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 416f7df4edef5d1da80cec845261a0a358813532..7b6a3952f228e7938bad9681aaadb3a6bf1e50d3 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6663,6 +6663,10 @@ int smb2_read(struct ksmbd_work *work)
        }
 
        offset = le64_to_cpu(req->Offset);
+       if (offset < 0) {
+               err = -EINVAL;
+               goto out;
+       }
        length = le32_to_cpu(req->Length);
        mincount = le32_to_cpu(req->MinimumCount);