Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 4 Aug 2023 23:43:10 GMT
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: aca3d65fedff - main - netsmb: Add bounds checking to smb_t2_placedata
Message-ID:  <202308042343.374NhARn059225@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=aca3d65fedffbbe71399a88d33ea8ecf550177eb

commit aca3d65fedffbbe71399a88d33ea8ecf550177eb
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2023-08-04 23:42:41 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-08-04 23:42:41 +0000

    netsmb: Add bounds checking to smb_t2_placedata
    
    Verify that the requested region of the mbuf chain is not beyond the
    end of the chain before trimming it from the end.  If it is out of
    bounds, fail with an error (EPROTO).
    
    While here, properly handle the case that the amount of data at the
    end of the chain might span more than one mbuf by using m_adj to drop
    the extra bytes rather than assuming m_len of the last mbuf can be
    adjusted directly.
    
    PR:             258504
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Co-authored-by: Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D41229
---
 sys/netsmb/smb_rq.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c
index 3e4fc0804620..1af1ff92dfa0 100644
--- a/sys/netsmb/smb_rq.c
+++ b/sys/netsmb/smb_rq.c
@@ -425,12 +425,18 @@ static int
 smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count,
 	struct mdchain *mdp)
 {
-	struct mbuf *m, *m0;
+	struct mbuf *m0;
 	int len;
 
+	len = m_length(mtop, NULL);
+	if (offset + count > len)
+		return (EPROTO);
+
 	m0 = m_split(mtop, offset, M_WAITOK);
-	len = m_length(m0, &m);
-	m->m_len -= len - count;
+	if (len != offset + count) {
+		len -= offset + count;
+		m_adj(m0, -len);
+	}
 	if (mdp->md_top == NULL) {
 		md_initm(mdp, m0);
 	} else

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308042343.374NhARn059225>