| Message ID | 20241125083746.74543-1-mngyadam@amazon.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2,5.4/5.10/5.15] cifs: Fix buffer overflow when parsing NFS reparse points | expand |
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 9ec67b76bc062..4f7639afa7627 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2807,6 +2807,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ len = le16_to_cpu(symlink_buf->ReparseDataLength); + if (len < sizeof(symlink_buf->InodeType)) { + cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); + return -EIO; + } + + len -= sizeof(symlink_buf->InodeType); if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { cifs_dbg(VFS, "%lld not a supported symlink type\n",