cifs: integer overflow in in SMB2_ioctl()

BugLink: https://bugs.launchpad.net/bugs/1836117
commit 2d204ee9d671327915260071c19350d84344e096 upstream.

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index ce81ab5e60a476f11e135e79b2adccd227f9560d..cf83cb80fce91d2d2e63438b7dca59c108fef368 100644 (file)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2004,14 +2004,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        /* We check for obvious errors in the output buffer length and offset */
        if (*plen == 0)
                goto ioctl_exit; /* server returned no data */
-       else if (*plen > 0xFF00) {
+       else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
                cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
                *plen = 0;
                rc = -EIO;
                goto ioctl_exit;
        }
 
-       if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
+       if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) {
                cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
                        le32_to_cpu(rsp->OutputOffset));
                *plen = 0;