diff options
| author | William Liu <will@willsroot.io> | 2022-12-30 13:03:15 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2023-01-01 22:49:24 -0600 |
| commit | 797805d81baa814f76cf7bdab35f86408a79d707 (patch) | |
| tree | 58f3095507d810f88c68b0cc001d9887f997c1cd /tools/perf/scripts/python/export-to-sqlite.py | |
| parent | cdfb2fef522d0c3f9cf293db51de88e9b3d46846 (diff) | |
ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
"nt_len - CIFS_ENCPWD_SIZE" is passed directly from
ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests
can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative
number (or large unsigned value) used for a subsequent memcpy in
ksmbd_auth_ntlvm2 and can cause a panic.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: William Liu <will@willsroot.io>
Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'tools/perf/scripts/python/export-to-sqlite.py')
0 files changed, 0 insertions, 0 deletions