From 85ff2fb76319273b49886492fdd36479bebc194b Mon Sep 17 00:00:00 2001
From: Marios Makassikis <mmakassikis@freebox.fr>
Date: Sun, 6 Nov 2022 22:02:49 +0100
Subject: [PATCH 10/17] ksmbd-tools: mountd: validate RPC request

Avoid potential OOB read on short message, and make sure req->payload_sz
is set.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
---
 mountd/worker.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mountd/worker.c b/mountd/worker.c
index 8fa3f309f9e3..b2b1e1106b87 100644
--- a/mountd/worker.c
+++ b/mountd/worker.c
@@ -220,9 +220,12 @@ static int rpc_request(struct ksmbd_ipc_msg *msg)
 {
 	struct ksmbd_rpc_command *req;
 	struct ksmbd_rpc_command *resp;
-	struct ksmbd_ipc_msg *resp_msg;
+	struct ksmbd_ipc_msg *resp_msg = NULL;
 	int ret = -ENOTSUP;
 
+	if (msg->sz < sizeof(struct ksmbd_rpc_command))
+		goto out;
+
 	req = KSMBD_IPC_MSG_PAYLOAD(msg);
 	if (req->flags & KSMBD_RPC_METHOD_RETURN)
 		resp_msg = ipc_msg_alloc(KSMBD_IPC_MAX_MESSAGE_SIZE -
-- 
2.25.1