ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob

"nt_len - CIFS_ENCPWD_SIZE" is passed directly from
ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests
can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative
number (or large unsigned value) used for a subsequent memcpy in
ksmbd_auth_ntlvm2 and can cause a panic.

Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: [email protected]
Signed-off-by: William Liu <[email protected]>
Signed-off-by: Hrvoje Mišetić <[email protected]>
Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c
index 2a39ffb8423b75dfc205215d4df85b09a1859aa4..6e61b5bc7d86ed5add4e940a3972068a508c52a0 100644 (file)
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
        dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);
        dn_len = le16_to_cpu(authblob->DomainName.Length);
 
-       if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)
+       if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||
+           nt_len < CIFS_ENCPWD_SIZE)
                return -EINVAL;
 
        /* TODO : use domain name that imported from configuration file */