system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 02:37:15 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

netsmb: Add bounds checking to smb_t2_placedata

Browse source 
Verify that the requested region of the mbuf chain is not beyond the
end of the chain before trimming it from the end.  If it is out of
bounds, fail with an error (EPROTO).

While here, properly handle the case that the amount of data at the
end of the chain might span more than one mbuf by using m_adj to drop
the extra bytes rather than assuming m_len of the last mbuf can be
adjusted directly.

PR:		258504
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Co-authored-by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D41229
This commit is contained in:
John Baldwin 2023-08-04 16:42:41 -07:00
parent 4af849d71f
commit aca3d65fed
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
sys/netsmb/smb_rq.c
View file

@ -425,12 +425,18 @@ static int
smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count,
struct mdchain *mdp)
{
struct mbuf *m, *m0;
struct mbuf *m0;
int len;
len = m_length(mtop, NULL);
if (offset + count > len)
return (EPROTO);
m0 = m_split(mtop, offset, M_WAITOK);
len = m_length(m0, &m);
m->m_len -= len - count;
if (len != offset + count) {
len -= offset + count;
m_adj(m0, -len);
}
if (mdp->md_top == NULL) {
md_initm(mdp, m0);
} else