summaryrefslogtreecommitdiff
path: root/usr/src/uts/common/fs/smbsrv
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/uts/common/fs/smbsrv')
-rw-r--r--usr/src/uts/common/fs/smbsrv/smb_kshare.c1
-rw-r--r--usr/src/uts/common/fs/smbsrv/smb_server.c16
2 files changed, 17 insertions, 0 deletions
diff --git a/usr/src/uts/common/fs/smbsrv/smb_kshare.c b/usr/src/uts/common/fs/smbsrv/smb_kshare.c
index 01d382fed7..056619d90b 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_kshare.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_kshare.c
@@ -351,6 +351,7 @@ smb_kshare_g_fini(void)
kmem_cache_destroy(smb_kshare_cache_share);
}
+
/*
* A list of shares in nvlist format can be sent down
* from userspace thourgh the IOCTL interface. The nvlist
diff --git a/usr/src/uts/common/fs/smbsrv/smb_server.c b/usr/src/uts/common/fs/smbsrv/smb_server.c
index 7f56792f7d..af12a0c30b 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_server.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_server.c
@@ -897,6 +897,22 @@ smb_server_enum(smb_ioc_svcenum_t *ioc)
smb_svcenum_t *svcenum = &ioc->svcenum;
smb_server_t *sv;
int rc;
+ uint32_t buflen_adjusted;
+
+ /*
+ * Reality check that the buffer-length insize the enum doesn't
+ * overrun the ioctl's total length.
+ *
+ * NOTE: Assume se_buf is at the end of smb_svcenum_t.
+ */
+ buflen_adjusted = svcenum->se_buflen +
+ offsetof(smb_svcenum_t, se_buf) + sizeof (ioc->hdr);
+ if (buflen_adjusted < svcenum->se_buflen || /* Overflow check 1, */
+ buflen_adjusted < offsetof(smb_svcenum_t, se_buf) || /* check 2, */
+ buflen_adjusted < sizeof (ioc->hdr) || /* check 3. */
+ buflen_adjusted > ioc->hdr.len) {
+ return (EINVAL);
+ }
/*
* Reality check that the buffer-length insize the enum doesn't
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-28 23:48:35 +0000