linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-05 10:31:46 +09:00

Go to file

Gustavo A. R. Silva b793e9fca6 smb3: Fix out-of-bounds bug in SMB2_negotiate()

commit 8d8d1dbefc upstream.

While addressing some warnings generated by -Warray-bounds, I found this
bug that was introduced back in 2017:

  CC [M]  fs/cifs/smb2pdu.o
fs/cifs/smb2pdu.c: In function ‘SMB2_negotiate’:
fs/cifs/smb2pdu.c:822:16: warning: array subscript 1 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  822 |   req->Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
      |   ~~~~~~~~~~~~~^~~
fs/cifs/smb2pdu.c:823:16: warning: array subscript 2 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  823 |   req->Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
      |   ~~~~~~~~~~~~~^~~
fs/cifs/smb2pdu.c:824:16: warning: array subscript 3 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  824 |   req->Dialects[3] = cpu_to_le16(SMB311_PROT_ID);
      |   ~~~~~~~~~~~~~^~~
fs/cifs/smb2pdu.c:816:16: warning: array subscript 1 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  816 |   req->Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
      |   ~~~~~~~~~~~~~^~~

At the time, the size of array _Dialects_ was changed from 1 to 3 in struct
validate_negotiate_info_req, and then in 2019 it was changed from 3 to 4,
but those changes were never made in struct smb2_negotiate_req, which has
led to a 3 and a half years old out-of-bounds bug in function
SMB2_negotiate() (fs/cifs/smb2pdu.c).

Fix this by increasing the size of array _Dialects_ in struct
smb2_negotiate_req to 4.

Fixes: 9764c02fcb ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)")
Fixes: d5c7076b77 ("smb3: add smb3.1.1 to default dialect list")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2021-02-10 09:29:17 +01:00

arch

RISC-V: Define MAXPHYSMEM_1GB only for RV32

2021-02-10 09:29:17 +01:00

block

blk-mq: test QUEUE_FLAG_HCTX_ACTIVE for sbitmap_shared in hctx_may_queue

2021-02-03 23:28:44 +01:00

certs

.gitignore: add SPDX License Identifier

2020-03-25 11:50:48 +01:00

crypto

crypto: xor - Fix divide error in do_xor_speed()

2021-01-27 11:54:52 +01:00

Documentation

ovl: implement volatile-specific fsync error behaviour

2021-02-10 09:29:16 +01:00

drivers

xhci: fix bounce buffer usage for non-sg list case

2021-02-10 09:29:17 +01:00

smb3: Fix out-of-bounds bug in SMB2_negotiate()

2021-02-10 09:29:17 +01:00

include

iommu: Check dev->iommu in dev_iommu_priv_get() before dereferencing it

2021-02-10 09:29:17 +01:00

init

fgraph: Initialize tracing_graph_pause at task creation

2021-02-10 09:29:16 +01:00

ipc

ipc: adjust proc_ipc_sem_dointvec definition to match prototype

2020-09-05 12:14:29 -07:00

kernel

genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set

2021-02-10 09:29:17 +01:00

lib

iov_iter: fix the uaccess area in copy_compat_iovec_from_user

2021-01-27 11:55:09 +01:00

LICENSES

LICENSES/deprecated: add Zlib license text

2020-09-16 14:33:49 +02:00

memblock: do not start bottom-up allocations with kernel_end

2021-02-10 09:29:15 +01:00

net

mac80211: fix station rate table updates on assoc

2021-02-10 09:29:16 +01:00

samples

samples/bpf: Fix possible hang in xdpsock with multiple threads

2020-12-30 11:53:49 +01:00

scripts

scripts: use pkg-config to locate libcrypto

2021-02-10 09:29:17 +01:00

security

dump_common_audit_data(): fix racy accesses to ->d_name

2021-01-19 18:27:29 +01:00

sound

ALSA: hda: Add Cometlake-R PCI ID

2021-02-07 15:37:15 +01:00

tools

objtool: Don't fail the kernel build on fatal errors

2021-02-07 15:37:17 +01:00

usr

Merge branch 'work.fdpic' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2020-08-07 13:29:39 -07:00

virt

KVM: Forbid the use of tagged userspace addresses for memslots

2021-02-03 23:28:41 +01:00

.clang-format

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

2020-10-17 11:18:18 -07:00

.cocciconfig

…

.get_maintainer.ignore

Opt out of scripts/get_maintainer.pl

2019-05-16 10:53:40 -07:00

.gitattributes

.gitattributes: use 'dts' diff driver for dts files

2019-12-04 19:44:11 -08:00

.gitignore

.gitignore: docs: ignore sphinx_*/ directories

2020-09-10 10:44:31 -06:00

.mailmap

mailmap: add two more addresses of Uwe Kleine-König

2020-12-06 10:19:07 -08:00

COPYING

COPYING: state that all contributions really are covered by this file

2020-02-10 13:32:20 -08:00

CREDITS

MAINTAINERS: Move Jason Cooper to CREDITS

2020-11-30 10:20:34 +01:00

Kbuild

kbuild: rename hostprogs-y/always to hostprogs/always-y

2020-02-04 01:53:07 +09:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2020-12-10 15:30:13 -08:00

Makefile

kbuild: fix duplicated flags in DEBUG_CFLAGS

2021-02-10 09:29:15 +01:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.