fs/smb/server: fix off-by-one in ksmbd_nl_policy

Message ID	ZbAmi0VQRY2zdLN6@westworld (mailing list archive)
State	New, archived
Headers	show Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0B1D4C7B for <linux-cifs@vger.kernel.org>; Tue, 23 Jan 2024 20:50:22 +0000 (UTC) Date: Tue, 23 Jan 2024 13:50:19 -0700 From: Kyle Zeng <zengyhkyle@gmail.com> To: linkinjeon@kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, linux-cifs@vger.kernel.org Subject: [PATCH] fs/smb/server: fix off-by-one in ksmbd_nl_policy Message-ID: <ZbAmi0VQRY2zdLN6@westworld> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
Series	fs/smb/server: fix off-by-one in ksmbd_nl_policy \| expand fs/smb/server: fix off-by-one in ksmbd_nl_policy

Message ID

ZbAmi0VQRY2zdLN6@westworld (mailing list archive)

State

New, archived

Headers

Date: Tue, 23 Jan 2024 13:50:19 -0700
From: Kyle Zeng <zengyhkyle@gmail.com>
To: linkinjeon@kernel.org, sfrench@samba.org, senozhatsky@chromium.org,
	tom@talpey.com, linux-cifs@vger.kernel.org
Subject: [PATCH] fs/smb/server: fix off-by-one in ksmbd_nl_policy
Message-ID: <ZbAmi0VQRY2zdLN6@westworld>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Series

fs/smb/server: fix off-by-one in ksmbd_nl_policy | expand

Commit Message

Kyle Zeng Jan. 23, 2024, 8:50 p.m. UTC

The size of the policy array should be one larger than genl_family.maxattr, or it
will lead to an off-by-one read during nlattr parsing because
gennl_family.maxattr should be the *largest expected* value

Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
---
 fs/smb/server/transport_ipc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Namjae Jeon Jan. 24, 2024, 1:37 a.m. UTC | #1

2024-01-24 5:50 GMT+09:00, Kyle Zeng <zengyhkyle@gmail.com>:
> The size of the policy array should be one larger than genl_family.maxattr,
> or it
> will lead to an off-by-one read during nlattr parsing because
> gennl_family.maxattr should be the *largest expected* value
>
> Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
> ---
>  fs/smb/server/transport_ipc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
> index b49d47bdafc..185db4d7f2b 100644
> --- a/fs/smb/server/transport_ipc.c
> +++ b/fs/smb/server/transport_ipc.c
> @@ -74,7 +74,7 @@ static int handle_unsupported_event(struct sk_buff *skb,
> struct genl_info *info)
>  static int handle_generic_event(struct sk_buff *skb, struct genl_info
> *info);
>  static int ksmbd_ipc_heartbeat_request(void);
>
> -static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX] = {
> +static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {'
Have you checked the following patch ? And can this patch replace the
patch below?

https://lore.kernel.org/lkml/20240121073506.84528-1-linma@zju.edu.cn/t/

Thanks.
>  	[KSMBD_EVENT_UNSPEC] = {
>  		.len = 0,
>  	},
> --
> 2.34.1
>
>

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index b49d47bdafc..185db4d7f2b 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -74,7 +74,7 @@  static int handle_unsupported_event(struct sk_buff *skb, struct genl_info *info)
 static int handle_generic_event(struct sk_buff *skb, struct genl_info *info);
 static int ksmbd_ipc_heartbeat_request(void);
 
-static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX] = {
+static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
 	[KSMBD_EVENT_UNSPEC] = {
 		.len = 0,
 	},

fs/smb/server: fix off-by-one in ksmbd_nl_policy

Commit Message

Comments

Patch