ksmbd: avoid out of bounds access in decode_preauth_ctxt()
3Vexday Risk Score
No sign of exploitation. No public exploitation artifact known so far.
ssvc Trackepss 0.2%
exploitation probability
0.2%top 94% of all CVEs
observed exploitation
nono source reports it
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: avoid out of bounds access in decode_preauth_ctxt()
Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within
the SMB request boundary; deassemble_neg_contexts() only checks that the
eight byte smb2_neg_context header + (client controlled) DataLength are
within the packet boundary, which is insufficient.
Checking for sizeof(struct smb2_preauth_neg_context) is overkill given
that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt.
Affected products
Linux · Linux