[patch] cifs: check offset in decode_ntlmssp_challenge()
Dan Carpenter
dan.carpenter at oracle.com
Tue Jan 31 04:25:08 MST 2012
On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> On Tue, 31 Jan 2012 11:52:01 +0300
> Dan Carpenter <dan.carpenter at oracle.com> wrote:
>
> > We should check that we're not copying memory from beyond the end of the
> > blob.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> >
> > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > index d85efad..eb76741 100644
> > --- a/fs/cifs/sess.c
> > +++ b/fs/cifs/sess.c
> > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > + return -EINVAL;
> > + }
>
> Good catch.
>
> Do we really need a || here though? Would it not be sufficient to check
> if tioffset + tilen > blob_len? Or are you concerned about that value
> wrapping?
Yep. I was concerned about value wrapping.
regards,
dan carpenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120131/522de55e/attachment.pgp>
More information about the samba-technical
mailing list