Merge: [CVE-2024-50151] smb: client: fix OOBs when building SMB2_IOCTL request

emmil · emmil · commit b052dd12ca30 · 2024-12-02T13:31:22.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5810 JIRA: https://issues.redhat.com/browse/RHEL-66476 CVE: CVE-2024-50151 Signed-off-by: Paulo Alcantara <paalcant@redhat.com> Approved-by: Chris von Recklinghausen <crecklin@redhat.com> Approved-by: Benjamin Coddington <bcodding@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Rado Vrbovsky <rvrbovsk@redhat.com>
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
@@ -3300,6 +3300,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
 		return rc;
 
 	if (indatalen) {
+		unsigned int len;
+
+		if (WARN_ON_ONCE(smb3_encryption_required(tcon) &&
+				 (check_add_overflow(total_len - 1,
+						     ALIGN(indatalen, 8), &len) ||
+				  len > MAX_CIFS_SMALL_BUFFER_SIZE))) {
+			cifs_small_buf_release(req);
+			return -EIO;
+		}
 		/*
 		 * indatalen is usually small at a couple of bytes max, so
 		 * just allocate through generic pool
