ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. Reported-by: Jordy Zomer <[email protected]> Signed-off-by: Jordy Zomer <[email protected]> Signed-off-by: Namjae Jeon <[email protected]>
namjaejeon · Nov 28, 2024 · bdc6043 · bdc6043
1 parent d9302c3
commit bdc6043
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/smb2pdu.c b/smb2pdu.c
@@ -7422,6 +7422,8 @@ int smb2_write(struct ksmbd_work *work)
 	}
 
 	offset = le64_to_cpu(req->Offset);
+	if (offset < 0)
+		return -EINVAL;
 	length = le32_to_cpu(req->Length);
 
 	if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||