diff options
| author | Jerome Marchand <[email protected]> | 2016-05-26 09:52:25 +0000 |
|---|---|---|
| committer | Steve French <[email protected]> | 2016-06-24 04:45:07 +0000 |
| commit | b8da344b74c822e966c6d19d6b2321efe82c5d97 (patch) | |
| tree | f4b6a50200af4e957e3ba0872e3555b74be21679 /drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | |
| parent | cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name (diff) | |
| download | kernel-b8da344b74c822e966c6d19d6b2321efe82c5d97.tar.gz kernel-b8da344b74c822e966c6d19d6b2321efe82c5d97.zip | |
cifs: dynamic allocation of ntlmssp blob
In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
statically and its size is an "empirical" 5*sizeof(struct
_AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
comes from or if it was ever appropriate, but it is currently
insufficient: the user and domain name in UTF16 could take 1kB by
themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
memory (out-of-bounds write). The size of ntlmssp_blob in
SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
+ 500).
This patch allocates the blob dynamically in
build_ntlmssp_auth_blob().
Signed-off-by: Jerome Marchand <[email protected]>
Signed-off-by: Steve French <[email protected]>
CC: Stable <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c')
0 files changed, 0 insertions, 0 deletions