From nobody Wed Sep 06 21:57:05 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rgx6n4Snxz4sJHC; Wed, 6 Sep 2023 21:57:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Rgx6n1qQqz3cb5; Wed, 6 Sep 2023 21:57:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694037425; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6tleK0HLX/FyZX1ipJlHF+KtPeRLT/Rua3H55gLV9Kw=; b=Ji2pnfYVO58ONPdXd28qutWANcofNr5GQoIETQ1we4urvSkmexcAhYftos2jaN+81axC+8 M2jnG1MMNGP4Hy4LOUPK/nMjz/2ucjTZOdpulBWEHkp2LVI1cjQibclnO13b04MCaiJlLu loE7kNKwjE2mX9EofDOKb8gmi5//gpdo8vXseQz0Ku29JeIKAQvtm8S4QOl4MzHbVqsRKm nId0tNF2vDMKHVz27QDb1CAcDmebysMaCKhDQKRkvukAaFT48oxvdWDNgS9aAzRW8nJEIP rhtrokaIW522CtkrqcKzie/+jGc5X1+Ef8Xw67jAM3iBYcmOvZXANkUAk+0d8Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694037425; a=rsa-sha256; cv=none; b=n3Axb33HIMDVRtMwYWx/IjTtUtw5zxDBdq+LeJ+DBw4mDzhCnNpQzvczE6ATPrA9IwXJlr 9iW0zF2Bt7+HpT2xs2JDOiOsvJKg8ImK/Io0MLfHIL+aP56iZGHVtv7Tn2+D3xsW57TccF GVw/r9PQChBA8dYCLiUrdixo/H0qzg8LDXDYbwV26jGy9ZZJ+FXUYCyoJ1QQwIiUgzsgy7 iINAxK0U3ASnA1TphC7AoLPvCgeowrPmFY6dBqs80iG0s3CzmYEzobpH72FqQ1TbH3LZO2 z8oTq/vP4hvwYhp+QUpwwGPkXXkeJ93lwuRUjiIDuHy6N5X3tsuFCw+/wvkNZA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694037425; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6tleK0HLX/FyZX1ipJlHF+KtPeRLT/Rua3H55gLV9Kw=; b=BXyp3Z3L8QJl6Y1nzGthx7ZBsceTGyJo1iITx2ALq98BHtwJZUCg+z52Hiw1l2iCz2JZ3v N740/L0qAWSsCpO+NuckJqumNse46FUEHvz7L6HZ+aSyTUe70zgu98nsT7x8RYEQyomtJN 2Aei775vJYphTO8OaiWhNIt4MASmzWVX8XcscObmJWUsEkNUK7u8+QPc+VsfpeN6ZfZHND gNXSwXaGE2t4f5pyHE5EPzp0E/rAi2KQkPrVIT/qLbtWaUoJiTWg+BrdwFOy03zBoeMz80 eQ2LUtQ+KGxsfliX2y+MhpUjwIdAzZSwPicIs7HCWtv8MiwBaZpfMFIGd/cYWA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rgx6n0wvkzZ6L; Wed, 6 Sep 2023 21:57:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 386Lv5Yf023843; Wed, 6 Sep 2023 21:57:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 386Lv5GR023840; Wed, 6 Sep 2023 21:57:05 GMT (envelope-from git) Date: Wed, 6 Sep 2023 21:57:05 GMT Message-Id: <202309062157.386Lv5GR023840@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: dd66ba430cb9 - stable/12 - netsmb: Add bounds checking to smb_t2_placedata List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: dd66ba430cb9d4c53fdd583fa2f20521552d58ff Auto-Submitted: auto-generated The branch stable/12 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=dd66ba430cb9d4c53fdd583fa2f20521552d58ff commit dd66ba430cb9d4c53fdd583fa2f20521552d58ff Author: John Baldwin AuthorDate: 2023-08-04 23:42:41 +0000 Commit: John Baldwin CommitDate: 2023-09-06 20:03:18 +0000 netsmb: Add bounds checking to smb_t2_placedata Verify that the requested region of the mbuf chain is not beyond the end of the chain before trimming it from the end. If it is out of bounds, fail with an error (EPROTO). While here, properly handle the case that the amount of data at the end of the chain might span more than one mbuf by using m_adj to drop the extra bytes rather than assuming m_len of the last mbuf can be adjusted directly. PR: 258504 Reported by: Robert Morris Co-authored-by: Robert Morris MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41229 (cherry picked from commit aca3d65fedffbbe71399a88d33ea8ecf550177eb) --- sys/netsmb/smb_rq.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index 5a2ec0e7214a..c55dd1d91891 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -426,12 +426,18 @@ static int smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count, struct mdchain *mdp) { - struct mbuf *m, *m0; + struct mbuf *m0; int len; + len = m_length(mtop, NULL); + if (offset + count > len) + return (EPROTO); + m0 = m_split(mtop, offset, M_WAITOK); - len = m_length(m0, &m); - m->m_len -= len - count; + if (len != offset + count) { + len -= offset + count; + m_adj(m0, -len); + } if (mdp->md_top == NULL) { md_initm(mdp, m0); } else