ksmbd: fix error code in ndr_read_int32()

Dan Carpenter · smfrench · commit ef399469d9ce · 2021-12-16T12:36:49.000-06:00
This is a failure path and it should return -EINVAL instead of success. Otherwise it could result in the caller using uninitialized memory. Fixes: 303fff2 ("ksmbd: add validation for ndr read/write functions") Cc: stable@vger.kernel.org # v5.15 Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Steve French <stfrench@microsoft.com>
diff --git a/fs/ksmbd/ndr.c b/fs/ksmbd/ndr.c
@@ -148,7 +148,7 @@ static int ndr_read_int16(struct ndr *n, __u16 *value)
 static int ndr_read_int32(struct ndr *n, __u32 *value)
 {
 	if (n->offset + sizeof(__u32) > n->length)
-		return 0;
+		return -EINVAL;
 
 	if (value)
 		*value = le32_to_cpu(*(__le32 *)ndr_get_field(n));

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ static int ndr_read_int16(struct ndr n, __u16 value)`
`148`	`148`	`static int ndr_read_int32(struct ndr n, __u32 value)`
`149`	`149`	`{`
`150`	`150`	`if (n->offset + sizeof(__u32) > n->length)`
`151`		`- return 0;`
	`151`	`+ return -EINVAL;`
`152`	`152`
`153`	`153`	`if (value)`
`154`	`154`	`value = le32_to_cpu((__le32 *)ndr_get_field(n));`