Commit 3845c736 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

cifs: integer overflow in in SMB2_ioctl()

commit 2d204ee9 upstream

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: default avatarDan Carpenter <>
Signed-off-by: default avatarSteve French <>
Reviewed-by: default avatarAurelien Aptel <>
CC: Stable <>
Signed-off-by: default avatarSudip Mukherjee <>
Signed-off-by: default avatarSasha Levin <>
parent 0d9b5136
......@@ -2020,14 +2020,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
/* We check for obvious errors in the output buffer length and offset */
if (*plen == 0)
goto ioctl_exit; /* server returned no data */
else if (*plen > 0xFF00) {
else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
*plen = 0;
rc = -EIO;
goto ioctl_exit;
if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
*plen = 0;
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment