ksmbd: validate zero num_subauth before sub_auth is accessed

commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 upstream. Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed. Cc: stable@vger.kernel.org Signed-off-by: Norbert Szetei <norbert@doyensec.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-03-29 16:06:01 +00:00 · 2025-03-29 16:06:01 +00:00 · 3ac65de111
commit 3ac65de111
parent 596407adb9
1 changed files with 5 additions and 0 deletions
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@ -270,6 +270,11 @@ static int sid_to_id(struct user_namespace *user_ns,
 		return -EIO;
 	}

+	if (psid->num_subauth == 0) {
+		pr_err("%s: zero subauthorities!\n", __func__);
+		return -EIO;
+	}
+
 	if (sidtype == SIDOWNER) {
 		kuid_t uid;
 		uid_t id;