From afc9081310d2e74738a91294053df32d91081f22 Mon Sep 17 00:00:00 2001
From: Marios Makassikis <mmakassikis@freebox.fr>
Date: Sun, 6 Nov 2022 22:27:57 +0100
Subject: [PATCH 12/17] ksmbd-tools: mountd: validate num_subauth in
 smb_read_sid()

Ensure num_subauth is not larger than sid->sub_auth (which is of fixed
size).

Additionally, num_subauth must not be 0, as it is decremented after a
call to smb_read_sid() and it will cause an out-of-bounds read.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
---
 mountd/smbacl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mountd/smbacl.c b/mountd/smbacl.c
index 8cdd55dcbe5c..b4f08777b164 100644
--- a/mountd/smbacl.c
+++ b/mountd/smbacl.c
@@ -37,6 +37,8 @@ int smb_read_sid(struct ksmbd_dcerpc *dce, struct smb_sid *sid)
 		return -EINVAL;
 	if (ndr_read_int8(dce, &sid->num_subauth))
 		return -EINVAL;
+	if (!sid->num_subauth || sid->num_subauth >= SID_MAX_SUB_AUTHORITIES)
+		return -EINVAL;
 	for (i = 0; i < NUM_AUTHS; ++i)
 		if (ndr_read_int8(dce, &sid->authority[i]))
 			return -EINVAL;
-- 
2.25.1