* [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31 8:52 ` Dan Carpenter
0 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2012-01-31 8:52 UTC (permalink / raw)
To: Steve French
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
We should check that we're not copying memory from beyond the end of the
blob.
Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index d85efad..eb76741 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
+ if (tioffset > blob_len || tioffset + tilen > blob_len) {
+ cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
+ return -EINVAL;
+ }
if (tilen) {
ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
if (!ses->auth_key.response) {
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31 8:52 ` Dan Carpenter
0 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2012-01-31 8:52 UTC (permalink / raw)
To: Steve French
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
We should check that we're not copying memory from beyond the end of the
blob.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index d85efad..eb76741 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
+ if (tioffset > blob_len || tioffset + tilen > blob_len) {
+ cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
+ return -EINVAL;
+ }
if (tilen) {
ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
if (!ses->auth_key.response) {
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
2012-01-31 8:52 ` Dan Carpenter
@ 2012-01-31 10:49 ` Jeff Layton
-1 siblings, 0 replies; 11+ messages in thread
From: Jeff Layton @ 2012-01-31 10:49 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical
On Tue, 31 Jan 2012 11:52:01 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> We should check that we're not copying memory from beyond the end of the
> blob.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> + return -EINVAL;
> + }
Good catch.
Do we really need a || here though? Would it not be sufficient to check
if tioffset + tilen > blob_len? Or are you concerned about that value
wrapping?
> if (tilen) {
> ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
> if (!ses->auth_key.response) {
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Jeff Layton <jlayton@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31 10:49 ` Jeff Layton
0 siblings, 0 replies; 11+ messages in thread
From: Jeff Layton @ 2012-01-31 10:49 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical
On Tue, 31 Jan 2012 11:52:01 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> We should check that we're not copying memory from beyond the end of the
> blob.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> + return -EINVAL;
> + }
Good catch.
Do we really need a || here though? Would it not be sufficient to check
if tioffset + tilen > blob_len? Or are you concerned about that value
wrapping?
> if (tilen) {
> ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
> if (!ses->auth_key.response) {
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Jeff Layton <jlayton@redhat.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
2012-01-31 10:49 ` Jeff Layton
@ 2012-01-31 11:25 ` Dan Carpenter
-1 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2012-01-31 11:25 UTC (permalink / raw)
To: Jeff Layton; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical
[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]
On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> On Tue, 31 Jan 2012 11:52:01 +0300
> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> > We should check that we're not copying memory from beyond the end of the
> > blob.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > index d85efad..eb76741 100644
> > --- a/fs/cifs/sess.c
> > +++ b/fs/cifs/sess.c
> > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > + return -EINVAL;
> > + }
>
> Good catch.
>
> Do we really need a || here though? Would it not be sufficient to check
> if tioffset + tilen > blob_len? Or are you concerned about that value
> wrapping?
Yep. I was concerned about value wrapping.
regards,
dan carpenter
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31 11:25 ` Dan Carpenter
0 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2012-01-31 11:25 UTC (permalink / raw)
To: Jeff Layton; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical
[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]
On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> On Tue, 31 Jan 2012 11:52:01 +0300
> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> > We should check that we're not copying memory from beyond the end of the
> > blob.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > index d85efad..eb76741 100644
> > --- a/fs/cifs/sess.c
> > +++ b/fs/cifs/sess.c
> > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > + return -EINVAL;
> > + }
>
> Good catch.
>
> Do we really need a || here though? Would it not be sufficient to check
> if tioffset + tilen > blob_len? Or are you concerned about that value
> wrapping?
Yep. I was concerned about value wrapping.
regards,
dan carpenter
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
2012-01-31 11:25 ` Dan Carpenter
@ 2012-01-31 11:50 ` Jeff Layton
-1 siblings, 0 replies; 11+ messages in thread
From: Jeff Layton @ 2012-01-31 11:50 UTC (permalink / raw)
To: Dan Carpenter
Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
On Tue, 31 Jan 2012 14:25:08 +0300
Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
> On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> > On Tue, 31 Jan 2012 11:52:01 +0300
> > Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
> >
> > > We should check that we're not copying memory from beyond the end of the
> > > blob.
> > >
> > > Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
> > >
> > > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > > index d85efad..eb76741 100644
> > > --- a/fs/cifs/sess.c
> > > +++ b/fs/cifs/sess.c
> > > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > > ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > > tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > > tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > > + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > > + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > > + return -EINVAL;
> > > + }
> >
> > Good catch.
> >
> > Do we really need a || here though? Would it not be sufficient to check
> > if tioffset + tilen > blob_len? Or are you concerned about that value
> > wrapping?
>
> Yep. I was concerned about value wrapping.
>
> regards,
> dan carpenter
>
Seems reasonable then. Thanks...
Reviewed-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31 11:50 ` Jeff Layton
0 siblings, 0 replies; 11+ messages in thread
From: Jeff Layton @ 2012-01-31 11:50 UTC (permalink / raw)
To: Dan Carpenter
Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]
On Tue, 31 Jan 2012 14:25:08 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On Tue, Jan 31, 2012 at 05:49:37AM -0500, Jeff Layton wrote:
> > On Tue, 31 Jan 2012 11:52:01 +0300
> > Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > > We should check that we're not copying memory from beyond the end of the
> > > blob.
> > >
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > >
> > > diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> > > index d85efad..eb76741 100644
> > > --- a/fs/cifs/sess.c
> > > +++ b/fs/cifs/sess.c
> > > @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> > > ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> > > tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> > > tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> > > + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> > > + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> > > + return -EINVAL;
> > > + }
> >
> > Good catch.
> >
> > Do we really need a || here though? Would it not be sufficient to check
> > if tioffset + tilen > blob_len? Or are you concerned about that value
> > wrapping?
>
> Yep. I was concerned about value wrapping.
>
> regards,
> dan carpenter
>
Seems reasonable then. Thanks...
Reviewed-by: Jeff Layton <jlayton@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
2012-01-31 8:52 ` Dan Carpenter
(?)
(?)
@ 2012-01-31 13:42 ` Steve French
-1 siblings, 0 replies; 11+ messages in thread
From: Steve French @ 2012-01-31 13:42 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Steve French, linux-cifs, kernel-janitors, samba-technical
merged to cifs-2.6.git
On Tue, Jan 31, 2012 at 2:52 AM, Dan Carpenter <dan.carpenter@oracle.com>wrote:
> We should check that we're not copying memory from beyond the end of the
> blob.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr,
> int blob_len,
> ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> + cERROR(1, "tioffset + tilen too high %u + %u", tioffset,
> tilen);
> + return -EINVAL;
> + }
> if (tilen) {
> ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
> if (!ses->auth_key.response) {
>
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
2012-01-31 8:52 ` Dan Carpenter
@ 2012-01-31 13:43 ` Steve French
-1 siblings, 0 replies; 11+ messages in thread
From: Steve French @ 2012-01-31 13:43 UTC (permalink / raw)
Cc: linux-cifs, kernel-janitors, samba-technical
merged to cifs-2.6.git
On Tue, Jan 31, 2012 at 2:52 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> We should check that we're not copying memory from beyond the end of the
> blob.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> + return -EINVAL;
> + }
> if (tilen) {
> ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
> if (!ses->auth_key.response) {
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] cifs: check offset in decode_ntlmssp_challenge()
@ 2012-01-31 13:43 ` Steve French
0 siblings, 0 replies; 11+ messages in thread
From: Steve French @ 2012-01-31 13:43 UTC (permalink / raw)
Cc: linux-cifs, kernel-janitors, samba-technical
merged to cifs-2.6.git
On Tue, Jan 31, 2012 at 2:52 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> We should check that we're not copying memory from beyond the end of the
> blob.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index d85efad..eb76741 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -395,6 +395,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
> ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
> tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
> tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
> + if (tioffset > blob_len || tioffset + tilen > blob_len) {
> + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
> + return -EINVAL;
> + }
> if (tilen) {
> ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
> if (!ses->auth_key.response) {
--
Thanks,
Steve
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2012-01-31 13:43 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-31 8:52 [patch] cifs: check offset in decode_ntlmssp_challenge() Dan Carpenter
2012-01-31 8:52 ` Dan Carpenter
2012-01-31 10:49 ` Jeff Layton
2012-01-31 10:49 ` Jeff Layton
2012-01-31 11:25 ` Dan Carpenter
2012-01-31 11:25 ` Dan Carpenter
2012-01-31 11:50 ` Jeff Layton
2012-01-31 11:50 ` Jeff Layton
2012-01-31 13:42 ` Steve French
2012-01-31 13:43 ` Steve French
2012-01-31 13:43 ` Steve French
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.