ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Reported-by: Jordy Zomer <[email protected]> Signed-off-by: Jordy Zomer <[email protected]> Signed-off-by: Namjae Jeon <[email protected]>
namjaejeon · Nov 28, 2024 · d9302c3 · d9302c3
1 parent 47f2f72
commit d9302c3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/smb2pdu.c b/smb2pdu.c
@@ -7205,6 +7205,10 @@ int smb2_read(struct ksmbd_work *work)
 	}
 
 	offset = le64_to_cpu(req->Offset);
+	if (offset < 0) {
+		err = -EINVAL;
+		goto out;
+	}
 	length = le32_to_cpu(req->Length);
 	mincount = le32_to_cpu(req->MinimumCount);