mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 02:37:15 +00:00
netsmb: Add bounds checking to smb_t2_placedata
Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris <rtm@lcs.mit.edu> Co-authored-by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229
This commit is contained in:
parent
4af849d71f
commit
aca3d65fed
|
@ -425,12 +425,18 @@ static int
|
|||
smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count,
|
||||
struct mdchain *mdp)
|
||||
{
|
||||
struct mbuf *m, *m0;
|
||||
struct mbuf *m0;
|
||||
int len;
|
||||
|
||||
len = m_length(mtop, NULL);
|
||||
if (offset + count > len)
|
||||
return (EPROTO);
|
||||
|
||||
m0 = m_split(mtop, offset, M_WAITOK);
|
||||
len = m_length(m0, &m);
|
||||
m->m_len -= len - count;
|
||||
if (len != offset + count) {
|
||||
len -= offset + count;
|
||||
m_adj(m0, -len);
|
||||
}
|
||||
if (mdp->md_top == NULL) {
|
||||
md_initm(mdp, m0);
|
||||
} else
|
||||
|
|
Loading…
Reference in a new issue