ksmbd: fix out-of-bounds in parse_sec_desc()
authorNamjae Jeon <linkinjeon@kernel.org>
Tue, 18 Feb 2025 13:49:50 +0000 (22:49 +0900)
committerSteve French <stfrench@microsoft.com>
Mon, 3 Mar 2025 04:50:53 +0000 (22:50 -0600)
commitd6e13e19063db24f94b690159d0633aaf72a0f03
tree40e424c4507411c41950e0813483e0bee69de057
parent4dd541f9d9e4d8cdfa9797e68d893b0c27e4c46c
ksmbd: fix out-of-bounds in parse_sec_desc()

If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd
struct size. If it is smaller, It could cause slab-out-of-bounds.
And when validating sid, It need to check it included subauth array size.

Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/smbacl.c