1. Patchew
  2. linux
  3. View series

[PATCH] smb: client: Add check for next_buffer in receive_encrypted_standard()

Haoxiang Li posted 1 patch 10 months ago 
fs/smb/client/smb2ops.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH] smb: client: Add check for next_buffer in receive_encrypted_standard()
Posted by Haoxiang Li 10 months ago 
Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
in receive_encrypted_standard() to prevent null pointer dereference.

Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
---
 fs/smb/client/smb2ops.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index ec36bed54b0b..2ca8fe196051 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4964,6 +4964,10 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
 			next_buffer = (char *)cifs_buf_get();
 		else
 			next_buffer = (char *)cifs_small_buf_get();
+		if (!next_buffer) {
+			cifs_server_dbg(VFS, "No memory for (large) SMB response\n");
+			return -1;
+		}
 		memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
 	}
 
-- 
2.25.1
Re: [PATCH] smb: client: Add check for next_buffer in receive_encrypted_standard()
Posted by Steve French 10 months ago 
merged into cifs-2.6.git for-next pending additional review and testing

On Mon, Feb 17, 2025 at 1:22 AM Haoxiang Li <haoxiang_li2024@163.com> wrote:
>
> Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
> in receive_encrypted_standard() to prevent null pointer dereference.
>
> Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
> ---
>  fs/smb/client/smb2ops.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
> index ec36bed54b0b..2ca8fe196051 100644
> --- a/fs/smb/client/smb2ops.c
> +++ b/fs/smb/client/smb2ops.c
> @@ -4964,6 +4964,10 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
>                         next_buffer = (char *)cifs_buf_get();
>                 else
>                         next_buffer = (char *)cifs_small_buf_get();
> +               if (!next_buffer) {
> +                       cifs_server_dbg(VFS, "No memory for (large) SMB response\n");
> +                       return -1;
> +               }
>                 memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
>         }
>
> --
> 2.25.1
>
>


-- 
Thanks,

Steve

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.