From nobody Fri Aug 4 23:43:10 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHj2Q2gLNz4mFcB; Fri, 4 Aug 2023 23:43:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RHj2Q1h1xz3Ld8; Fri, 4 Aug 2023 23:43:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691192590; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Vv8bo4OBbga5du6dZ2z2MOMXHZcBhR7+fqsdaV6QSRU=; b=h7+rE1xjfFkLa9050Fi3z/eHJpqSKtrXRfwsBlqdpTI3fIJ7slLrnbJhU9r/tDxvGvnMoh lmXYulsAUZ2DBNm6fW/R4B650qZT8+KdC9F/11zaiyaOo6EyTM3F0p36HHHIupKsTtrJzS npipSKGRirEScWUEwca9w01pc9Z7R8lwGg7aXpDClU9cCU3bnoaxql7eLLjAPXtpPe1fQE tDZUiIlT7rwDiSSOZfyymVAAKsunbjI8TvpjJEGlKTw9gzxtmGFdIXxxwKSwoodpV+klMj CMJjaXAvxsYeRP5USVOD5Clw7PCumXvYZsHLwTkkYApzK98lzv4tDrZdeiUr4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691192590; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Vv8bo4OBbga5du6dZ2z2MOMXHZcBhR7+fqsdaV6QSRU=; b=qAL48XfcR3W9djDm/IiO/ugdTAUAOaDH62z6oGY3Q9aAsS4lhj/a4ITCEvaOMMn+8doT/O LPmRdxXKbaJq9OO9Cd+gOXxsmH+aa4GrWSzdq+5+l4OLl+I3ywW1jGN5XHtVd3tXnsw7Ic Tb7/wb9xr3rZFqMkuLCCKlSQNeJUhXPwnXf1BEo1Hq/MnBd5MvAcaNc+r4/FUcbNYMaoWL P/J+IfCz4Cy6V/C0V39Zt3dlQW6dPwDvQGG/oLY8qi3fIOKDgvd1SePo9eAdZ1bWZsN7hG XRBdKgfpVKTaY6uP+mI44zt4QIGKCx80AqY0hX3Tf8JIFH/JabK1Wyxxb65W2A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691192590; a=rsa-sha256; cv=none; b=m2/Tai3w7UfrqBHJChHlpb1ZO//5IExfZe0cTp0rQD0PvGj8IsHmN/qPfAk+1BqR434Xsl 71r+GlokWHLQE1MOc7Ow289OqJt7csTEScAMmUqfbrrWxdWBA0+qcs9ZdcFUgatzl3LXLZ 8totsZM6XiqorGJ44TwhGTJfy6tmSBbDucfxEAaCHbGgQg54zvewnHkzAtZCgJPm3JM0KO 1AHIqSM9vZo5UedNah1CEZurZjsUNEKc7KaiYvVPDJxhAKPyForHuepEOncP25MOfKLFRW EOnRhLDFgmvwnyHRPh7pLXXI2gpuDEsFo+CPtLYDQekdsUGVwNRREII9g1l4kQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RHj2Q0mnsz1Lr7; Fri, 4 Aug 2023 23:43:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 374NhAoh059226; Fri, 4 Aug 2023 23:43:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 374NhARn059225; Fri, 4 Aug 2023 23:43:10 GMT (envelope-from git) Date: Fri, 4 Aug 2023 23:43:10 GMT Message-Id: <202308042343.374NhARn059225@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: aca3d65fedff - main - netsmb: Add bounds checking to smb_t2_placedata List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: aca3d65fedffbbe71399a88d33ea8ecf550177eb Auto-Submitted: auto-generated The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=aca3d65fedffbbe71399a88d33ea8ecf550177eb commit aca3d65fedffbbe71399a88d33ea8ecf550177eb Author: John Baldwin AuthorDate: 2023-08-04 23:42:41 +0000 Commit: John Baldwin CommitDate: 2023-08-04 23:42:41 +0000 netsmb: Add bounds checking to smb_t2_placedata Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris Co-authored-by: Robert Morris MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229 --- sys/netsmb/smb_rq.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index 3e4fc0804620..1af1ff92dfa0 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -425,12 +425,18 @@ static int smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count, struct mdchain *mdp) { - struct mbuf *m, *m0; + struct mbuf *m0; int len; + len = m_length(mtop, NULL); + if (offset + count > len) + return (EPROTO); + m0 = m_split(mtop, offset, M_WAITOK); - len = m_length(m0, &m); - m->m_len -= len - count; + if (len != offset + count) { + len -= offset + count; + m_adj(m0, -len); + } if (mdp->md_top == NULL) { md_initm(mdp, m0); } else