| Message ID | 20210918094513.89480-3-linkinjeon@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/4] ksmbd: add request buffer validation in smb2_set_info | expand |
Merged into cifsd-for-next (smbd-for-next) after fixing typo in title. The other three look promising but want to look in more detail at those unless others have review feedback on those - those patches include some potentially very important checks. On Sat, Sep 18, 2021 at 4:45 AM Namjae Jeon <linkinjeon@kernel.org> wrote: > > Add validation to check whether req->InputBufferLength is smaller than > smb2_ea_info_req structure size. > > Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> > Cc: Ralph Böhme <slow@samba.org> > Cc: Steve French <smfrench@gmail.com> > Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> > --- > fs/ksmbd/smb2pdu.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c > index e589e8cc389f..e92af212583e 100644 > --- a/fs/ksmbd/smb2pdu.c > +++ b/fs/ksmbd/smb2pdu.c > @@ -4059,6 +4059,10 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, > path = &fp->filp->f_path; > /* single EA entry is requested with given user.* name */ > if (req->InputBufferLength) { > + if (le32_to_cpu(req->InputBufferLength) < > + sizeof(struct smb2_ea_info_req)) > + return -EINVAL; > + > ea_req = (struct smb2_ea_info_req *)req->Buffer; > } else { > /* need to send all EAs, if no specific EA is requested*/ > -- > 2.25.1 >
Regression tests with the three in linux-next passed ... http://smb3-test-rhel-75.southcentralus.cloudapp.azure.com/#/builders/8/builds/67 On Sat, Sep 18, 2021 at 10:55 AM Steve French <smfrench@gmail.com> wrote: > > Merged into cifsd-for-next (smbd-for-next) after fixing typo in title. > The other three look promising but want to look in more detail at > those unless others have review feedback on those - those patches > include some potentially very important checks. > > On Sat, Sep 18, 2021 at 4:45 AM Namjae Jeon <linkinjeon@kernel.org> wrote: > > > > Add validation to check whether req->InputBufferLength is smaller than > > smb2_ea_info_req structure size. > > > > Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> > > Cc: Ralph Böhme <slow@samba.org> > > Cc: Steve French <smfrench@gmail.com> > > Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> > > --- > > fs/ksmbd/smb2pdu.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c > > index e589e8cc389f..e92af212583e 100644 > > --- a/fs/ksmbd/smb2pdu.c > > +++ b/fs/ksmbd/smb2pdu.c > > @@ -4059,6 +4059,10 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, > > path = &fp->filp->f_path; > > /* single EA entry is requested with given user.* name */ > > if (req->InputBufferLength) { > > + if (le32_to_cpu(req->InputBufferLength) < > > + sizeof(struct smb2_ea_info_req)) > > + return -EINVAL; > > + > > ea_req = (struct smb2_ea_info_req *)req->Buffer; > > } else { > > /* need to send all EAs, if no specific EA is requested*/ > > -- > > 2.25.1 > > > > > -- > Thanks, > > Steve
Am 18.09.21 um 17:55 schrieb Steve French: > Merged into cifsd-for-next (smbd-for-next) after fixing typo in title. > The other three look promising but want to look in more detail at > those unless others have review feedback on those - those patches > include some potentially very important checks. I'm carefully looking at all four, it just takes a bit of time. Cheers! -slow
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e589e8cc389f..e92af212583e 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4059,6 +4059,10 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, path = &fp->filp->f_path; /* single EA entry is requested with given user.* name */ if (req->InputBufferLength) { + if (le32_to_cpu(req->InputBufferLength) < + sizeof(struct smb2_ea_info_req)) + return -EINVAL; + ea_req = (struct smb2_ea_info_req *)req->Buffer; } else { /* need to send all EAs, if no specific EA is requested*/
Add validation to check whether req->InputBufferLength is smaller than smb2_ea_info_req structure size. Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+)