ksmbd: allocate one more byte for implied bcc[0]

commit 443d61d1fa9faa60ef925513d83742902390100f upstream.

ksmbd_smb2_check_message allows client to return one byte more, so we
need to allocate additional memory in ksmbd_conn_handler_loop to avoid
out-of-bound access.

Cc: stable@vger.kernel.org
Signed-off-by: Chih-Yen Chang <cc85nod@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c
index b4c79359ef8b740fa2d788d7c50b05eccf71bb99..cab274b77727fa7cdfa710ac14da8f81dbe735cd 100644 (file)
--- a/fs/ksmbd/connection.c
+++ b/fs/ksmbd/connection.c
@@ -320,7 +320,8 @@ int ksmbd_conn_handler_loop(void *p)
                        break;
 
                /* 4 for rfc1002 length field */
-               size = pdu_size + 4;
+               /* 1 for implied bcc[0] */
+               size = pdu_size + 4 + 1;
                conn->request_buf = kvmalloc(size, GFP_KERNEL);
                if (!conn->request_buf)
                        break;