[patch] cifs: check offset in decode_ntlmssp_challenge()
Jeff Layton
jlayton at redhat.com
Tue Jan 31 04:50:07 MST 2012
On Tue, 31 Jan 2012 14:25:08 +0300
Dan Carpenter <dan.carpenter at oracle.com> wrote:
> On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> > On Tue, 31 Jan 2012 11:52:01 +0300
> > Dan Carpenter <dan.carpenter at oracle.com> wrote:
> >
> > > We should check that we're not copying memory from beyond the end of the
> > > blob.
> > >
> > > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> > >
> > > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > > index d85efad..eb76741 100644
> > > --- a/fs/cifs/sess.c
> > > +++ b/fs/cifs/sess.c
> > > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > > ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > > tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > > tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > > + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > > + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > > + return -EINVAL;
> > > + }
> >
> > Good catch.
> >
> > Do we really need a || here though? Would it not be sufficient to check
> > if tioffset + tilen > blob_len? Or are you concerned about that value
> > wrapping?
>
> Yep. I was concerned about value wrapping.
>
> regards,
> dan carpenter
>
Seems reasonable then. Thanks...
Reviewed-by: Jeff Layton <jlayton at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120131/daf85a25/attachment.pgp>
More information about the samba-technical
mailing list