From nobody Wed Sep 06 21:56:48 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rgx6S6JCWz4sJ32; Wed, 6 Sep 2023 21:56:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Rgx6S5kCwz3bqs; Wed, 6 Sep 2023 21:56:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694037408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P729HjTOlpUT0afTv4KKwxNZX1b5eGvDvtHnMfFQXu8=; b=TbzPFnCqa25GA4MvS4FgBZmWnE73Fequ5jUAxwVxjJYU835S0OWT8YLwx0IWS484E0ZMyz c2yh4n/JhU4RYNYQ/ioC8kCPJzTOW47mmYNUzhvHkbWvrOovogyfIDMIebxSkpQ+swUFLK OF6p6bWUDdRQdWwlb/gu6ZRCJUs1Fx62V6+yLJy4BbTPhpr/94lVuuwEzvIBdIPDFlk75G n6cKKqFTDsKxCOclGqAbW44Nz8B5KrEOtsnf/4YmdeUihdPlNG/eIauoDHXEsoBL3o+x8D 03sy1vLZs1x+0RHNTgMSoI7ImfvaNhaTk9VZntXZ+3zQ43XCtgnSscSOO1wLZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694037408; a=rsa-sha256; cv=none; b=NrxX+JCYExBcunISz7XfGmHJ6HdfonOiCVA5L7kUsomddGkGOL1tyH7oUUBnQT6Q3FhXU7 MbEnFJJXId4eipGI+91Ge1M3zE81yx6LfODnfC9zOl4z0gvnI/3N9UC1Te8pEGDIzudY/7 PcN3WCbAULed2JTCwkoGm/jDQkHCCi0W2fqagIjwz8Xy9BGXIXtae9g+KjRNuP6LP/l28k YMB0ZFVIGqpUYPJjfmorK7IxcTyTYRNqWIah/Q4qaSzwgPGyQs+kJw0FXWcrJsEI1aaKY0 Cew8DbKp0Q4N6YyENASrgcjmk7vqRHnHnw0Yg4ekrCHgIRsS3u16OuFkizl8+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694037408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P729HjTOlpUT0afTv4KKwxNZX1b5eGvDvtHnMfFQXu8=; b=CO0ZEt7Psxk1ascCXAvBv2JdoOw1WtJ2n6TLlVEWvCiQQIH17E/Fe9uCaEI0DJDB4Q6Nve uFk6FPpM71jDCZtSyHfXQ+IjN/Hb/mFT/L8Y37czxmRG3hvxPJHOY50S0vAltXlomGdNws yJepquK4BLcZpFN85xHDyU+ib6ZNFwSVjhLja85sSr6moUf5egridEguBr9PeMyN9WPK6u Ui+2taeahtsL1SNKKZgZISrR5DZIdoRkrpbU8Ae1kxNhownn7GJESofDSYFQeQ+Wd41gF3 83IzfHE1/u1Xrda9sYflHIXfRI4GVVD3aeST1RdqnY/L5H/Ny+DTEcFY00IHjg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rgx6S4qS0zYvb; Wed, 6 Sep 2023 21:56:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 386Lumn7023125; Wed, 6 Sep 2023 21:56:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 386LumYJ023122; Wed, 6 Sep 2023 21:56:48 GMT (envelope-from git) Date: Wed, 6 Sep 2023 21:56:48 GMT Message-Id: <202309062156.386LumYJ023122@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 5b8178fa46a7 - stable/13 - netsmb: Add bounds checking to smb_t2_placedata List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 5b8178fa46a766ece29aafcceed3c3db01f51a0b Auto-Submitted: auto-generated The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=5b8178fa46a766ece29aafcceed3c3db01f51a0b commit 5b8178fa46a766ece29aafcceed3c3db01f51a0b Author: John Baldwin AuthorDate: 2023-08-04 23:42:41 +0000 Commit: John Baldwin CommitDate: 2023-09-06 21:56:10 +0000 netsmb: Add bounds checking to smb_t2_placedata Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris Co-authored-by: Robert Morris MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229 (cherry picked from commit aca3d65fedffbbe71399a88d33ea8ecf550177eb) --- sys/netsmb/smb_rq.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index b701ce5fc1a3..71f6e221ace9 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -423,12 +423,18 @@ static int smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count, struct mdchain *mdp) { - struct mbuf *m, *m0; + struct mbuf *m0; int len; + len = m_length(mtop, NULL); + if (offset + count > len) + return (EPROTO); + m0 = m_split(mtop, offset, M_WAITOK); - len = m_length(m0, &m); - m->m_len -= len - count; + if (len != offset + count) { + len -= offset + count; + m_adj(m0, -len); + } if (mdp->md_top == NULL) { md_initm(mdp, m0); } else