CVE-2024-49996

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix buffer overflow when parsing NFS reparse points<br /> <br /> ReparseDataLength is sum of the InodeType size and DataBuffer size.<br /> So to get DataBuffer size it is needed to subtract InodeType&amp;#39;s size from<br /> ReparseDataLength.<br /> <br /> Function cifs_strndup_from_utf16() is currentlly accessing buf-&gt;DataBuffer<br /> at position after the end of the buffer because it does not subtract<br /> InodeType size from the length. Fix this problem and correctly subtract<br /> variable len.<br /> <br /> Member InodeType is present only when reparse buffer is large enough. Check<br /> for ReparseDataLength before accessing InodeType to prevent another invalid<br /> memory access.<br /> <br /> Major and minor rdev values are present also only when reparse buffer is<br /> large enough. Check for reparse buffer size before calling reparse_mkdev().