| Message ID | 20210924021254.27096-7-linkinjeon@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | a bunch of patches that have not yet been reviewed | expand |
Looks good to me. Acked-by: Hyunchul Lee <hyc.lee@gmail.com> 2021년 9월 24일 (금) 오전 11:13, Namjae Jeon <linkinjeon@kernel.org>님이 작성: > > Ronnie reported invalid request buffer access in chained command when > inserting garbage value to NextCommand of compound request. > This patch add validation check to avoid this issue. > > Cc: Tom Talpey <tom@talpey.com> > Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> > Cc: Ralph Böhme <slow@samba.org> > Cc: Steve French <smfrench@gmail.com> > Cc: Hyunchul Lee <hyc.lee@gmail.com> > Cc: Sergey Senozhatsky <senozhatsky@chromium.org> > Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> > --- > fs/ksmbd/smb2pdu.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c > index a930838fd6ac..4f7b5e18a7b9 100644 > --- a/fs/ksmbd/smb2pdu.c > +++ b/fs/ksmbd/smb2pdu.c > @@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) > bool is_chained_smb2_message(struct ksmbd_work *work) > { > struct smb2_hdr *hdr = work->request_buf; > - unsigned int len; > + unsigned int len, next_cmd; > > if (hdr->ProtocolId != SMB2_PROTO_NUMBER) > return false; > > hdr = ksmbd_req_buf_next(work); > - if (le32_to_cpu(hdr->NextCommand) > 0) { > + next_cmd = le32_to_cpu(hdr->NextCommand); > + if (next_cmd > 0) { > + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd + > + __SMB2_HEADER_STRUCTURE_SIZE > > + get_rfc1002_len(work->request_buf)) { > + pr_err("next command(%u) offset exceeds smb msg size\n", > + next_cmd); > + return false; > + } > + > ksmbd_debug(SMB, "got SMB2 chained command\n"); > init_chained_smb2_rsp(work); > return true; > -- > 2.25.1 > -- Thanks, Hyunchul
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index a930838fd6ac..4f7b5e18a7b9 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) bool is_chained_smb2_message(struct ksmbd_work *work) { struct smb2_hdr *hdr = work->request_buf; - unsigned int len; + unsigned int len, next_cmd; if (hdr->ProtocolId != SMB2_PROTO_NUMBER) return false; hdr = ksmbd_req_buf_next(work); - if (le32_to_cpu(hdr->NextCommand) > 0) { + next_cmd = le32_to_cpu(hdr->NextCommand); + if (next_cmd > 0) { + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd + + __SMB2_HEADER_STRUCTURE_SIZE > + get_rfc1002_len(work->request_buf)) { + pr_err("next command(%u) offset exceeds smb msg size\n", + next_cmd); + return false; + } + ksmbd_debug(SMB, "got SMB2 chained command\n"); init_chained_smb2_rsp(work); return true;
Ronnie reported invalid request buffer access in chained command when inserting garbage value to NextCommand of compound request. This patch add validation check to avoid this issue. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Cc: Steve French <smfrench@gmail.com> Cc: Hyunchul Lee <hyc.lee@gmail.com> Cc: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> --- fs/ksmbd/smb2pdu.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)