ksmbd: validate zero num_subauth before sub_auth is accessed

Access psid->sub_auth[psid->num_subauth - 1] without checking
if num_subauth is non-zero leads to an out-of-bounds read.
This patch adds a validation step to ensure num_subauth != 0
before sub_auth is accessed.

Cc: stable@vger.kernel.org
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c
index 2693ea2d67aa7deb7b965124fe2fa7a2c54cf561..5aa7a66334d93d4002800a198982463a825dff07 100644 (file)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *idmap,
                return -EIO;
        }
 
+       if (psid->num_subauth == 0) {
+               pr_err("%s: zero subauthorities!\n", __func__);
+               return -EIO;
+       }
+
        if (sidtype == SIDOWNER) {
                kuid_t uid;
                uid_t id;