[PATCH] cifs: don't send invalid setxattr requests

Dan Carpenter dan.carpenter at oracle.com
Thu Aug 10 12:21:43 UTC 2017

There is a static checker warning here because we're taking a "size"
from the user which is in the 1-XATTR_SIZE_MAX range and we're assuming
it's large enough to hold a sizeof(struct cifs_ntsd).  This doesn't
cause a buffer overflow or anything, we just end up sending an invalid
sized command to the server.  The server checks for that in
CIFSSMBGetCIFSACL() and rejects it.

Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Not tested.  Please review this one carefully.

diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
index de50e749ff05..70bdce5add24 100644
--- a/fs/cifs/xattr.c
+++ b/fs/cifs/xattr.c
@@ -93,6 +93,10 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
 		if (!value)
 			goto out;
+		if (size < sizeof(struct cifs_ntsd)) {
+			rc = -EINVAL;
+			goto out;
+		}
 		pacl = kmalloc(size, GFP_KERNEL);
 		if (!pacl) {
 			rc = -ENOMEM;

More information about the samba-technical mailing list