Commit 2ae03025 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French

cifs: extra sanity checking for cifs.idmap keys

Now that we aren't so rigid about the length of the key being passed
in, we need to be a bit more rigorous about checking the length of
the actual data against the claimed length (a'la num_subauths field).

Check for the case where userspace sends us a seemingly valid key
with a num_subauths field that goes beyond the end of the array. If
that happens, return -EIO and invalidate the key.

Also change the other places where we check for malformed keys in this
code to invalidate the key as well.
Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 41a9f1f6
...@@ -191,6 +191,8 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) ...@@ -191,6 +191,8 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
{ {
int rc; int rc;
struct key *sidkey; struct key *sidkey;
struct cifs_sid *ksid;
unsigned int ksid_size;
char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */ char desc[3 + 10 + 1]; /* 3 byte prefix + 10 bytes for value + NULL */
const struct cred *saved_cred; const struct cred *saved_cred;
...@@ -211,14 +213,27 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) ...@@ -211,14 +213,27 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid)
rc = -EIO; rc = -EIO;
cFYI(1, "%s: Downcall contained malformed key " cFYI(1, "%s: Downcall contained malformed key "
"(datalen=%hu)", __func__, sidkey->datalen); "(datalen=%hu)", __func__, sidkey->datalen);
goto out_key_put; goto invalidate_key;
} }
cifs_copy_sid(ssid, (struct cifs_sid *)sidkey->payload.data);
ksid = (struct cifs_sid *)sidkey->payload.data;
ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));
if (ksid_size > sidkey->datalen) {
rc = -EIO;
cFYI(1, "%s: Downcall contained malformed key (datalen=%hu, "
"ksid_size=%u)", __func__, sidkey->datalen, ksid_size);
goto invalidate_key;
}
cifs_copy_sid(ssid, ksid);
out_key_put: out_key_put:
key_put(sidkey); key_put(sidkey);
out_revert_creds: out_revert_creds:
revert_creds(saved_cred); revert_creds(saved_cred);
return rc; return rc;
invalidate_key:
key_invalidate(sidkey);
goto out_key_put;
} }
static int static int
...@@ -264,6 +279,7 @@ sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid, ...@@ -264,6 +279,7 @@ sid_to_id(struct cifs_sb_info *cifs_sb, struct cifs_sid *psid,
rc = -EIO; rc = -EIO;
cFYI(1, "%s: Downcall contained malformed key " cFYI(1, "%s: Downcall contained malformed key "
"(datalen=%hu)", __func__, sidkey->datalen); "(datalen=%hu)", __func__, sidkey->datalen);
key_invalidate(sidkey);
goto out_key_put; goto out_key_put;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment