cifsd: fix potential read overflow in ksmbd_vfs_stream_read()

If *pos or *pos + count is greater than v_len, It will read beyond
the stream_buf buffer. This patch add the check and cut down count with
size of the buffer.

Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c
index 56b1091473b97ede450a63ad503f684cf3bf6eef..9111b485d6115b4dd67d3ac13f8151e97ffa8b65 100644 (file)
--- a/fs/cifsd/vfs.c
+++ b/fs/cifsd/vfs.c
@@ -285,9 +285,19 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos,
        if ((int)v_len <= 0)
                return (int)v_len;
 
+       if (v_len <= *pos) {
+               count = -EINVAL;
+               goto free_buf;
+       }
+
+       if (v_len - *pos < count)
+               count = v_len - *pos;
+
        memcpy(buf, &stream_buf[*pos], count);
+
+free_buf:
        kvfree(stream_buf);
-       return v_len > count ? count : v_len;
+       return count;
 }
 
 /**