cifsd: fix potential read overflow in ksmbd_vfs_stream_read()

If *pos or *pos + count is greater than v_len, It will read beyond the stream_buf buffer. This patch add the check and cut down count with size of the buffer. Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com>

cifsd: fix potential read overflow in ksmbd_vfs_stream_read()
If *pos or *pos + count is greater than v_len, It will read beyond the stream_buf buffer. This patch add the check and cut down count with size of the buffer. Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2ae1a6cc · Namjae Jeon · fd6de099 · 2ae1a6cc
Commit 2ae1a6cc authored May 31, 2021 by Namjae Jeon
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

fs/cifsd/vfs.c fs/cifsd/vfs.c +11 -1

No files found.
--- a/fs/cifsd/vfs.c
+++ b/fs/cifsd/vfs.c
@@ -285,9 +285,19 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos,
 	if ((int)v_len <= 0)
 		return (int)v_len;

+	if (v_len <= *pos) {
+		count = -EINVAL;
+		goto free_buf;
+	}
+
+	if (v_len - *pos < count)
+		count = v_len - *pos;
+
 	memcpy(buf, &stream_buf[*pos], count);
+
+free_buf:
 	kvfree(stream_buf);
-	return v_len > count ? count : v_len;
+	return count;
 }

 /**