diff options
| author | Namjae Jeon <linkinjeon@kernel.org> | 2025-02-12 09:32:11 +0900 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-03-28 22:03:32 +0100 |
| commit | a4cb17797a5d241f1e509cb5b46ed95a80c2f5fd (patch) | |
| tree | 559e6bd0514b3a72da33e34cc14bd91758193fb7 /include/net/aligned_data.h | |
| parent | 731eccbd65aac026770e78279d551e1895572bd0 (diff) | |
ksmbd: fix incorrect validation for num_aces field of smb_acl
commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 upstream.
parse_dcal() validate num_aces to allocate posix_ace_state_array.
if (num_aces > ULONG_MAX / sizeof(struct smb_ace *))
It is an incorrect validation that we can create an array of size ULONG_MAX.
smb_acl has ->size field to calculate actual number of aces in request buffer
size. Use this to check invalid num_aces.
Reported-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Tested-by: Igor Leite Ladessa <igor-ladessa@hotmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/net/aligned_data.h')
0 files changed, 0 insertions, 0 deletions