From patchwork Mon Jun 4 11:46:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shirish Pargaonkar X-Patchwork-Id: 10446397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2626060375 for ; Mon, 4 Jun 2018 11:46:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 151DF28BAE for ; Mon, 4 Jun 2018 11:46:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0797C28BED; Mon, 4 Jun 2018 11:46:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9481128BAE for ; Mon, 4 Jun 2018 11:46:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752510AbeFDLqj (ORCPT ); Mon, 4 Jun 2018 07:46:39 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:34205 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751590AbeFDLqe (ORCPT ); Mon, 4 Jun 2018 07:46:34 -0400 Received: by mail-oi0-f68.google.com with SMTP id i205-v6so13561125oib.1; Mon, 04 Jun 2018 04:46:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=GApLqWOEsL7yS2Yk6r6VXfdgy+8liWHCYCl0YvY2uFM=; b=KNHu5ikScpE4txa9ZK1XhE0vTcM9otZyGKANcHAJRkuUw6M8uXEvltdrcXdYff1LL8 wl6B6ef7okeDxNbnHG1PPY6U783Zt+JFRqxZFx3SWcHxHBkIdz3jwIA4fJO/9a9c8jo8 FGQM+Qom3jcD8M/EWoM+t3Z09dTJ/GVSIctRDz95hZ5XlDqNX0EOy7wcaLGt7aIjutLZ SYrKi/8BBaVvRnvV8i05sRlHFkFo7t+HdKO3Uvw2iRXeh1QSSI8a2bWJ2xN0KGnNvVMa /sK/KZSiDUJ5fenIvPcaOLoELdMAc3EAfDnH+lovQmzGljxcKPuBmdgm8gG7jyPs8d6f /ppQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=GApLqWOEsL7yS2Yk6r6VXfdgy+8liWHCYCl0YvY2uFM=; b=dymapJyVygA6Rirm1h711SJXHeD9zRF7+B6TQpqMuiibOuOcpMQnFHW7ZOLuFnTVGf 0hrquBg5mJJRNLREgy36X0/T1vZeZHaG0eOy1Muog2TBuKGMxmBvxIEvPc1mjj3hAzjL hHYcs0frpTrXJC11eGi6OD2sj+Fxxaa5tLC2KeB440WgPyDHGSLHYMLtVfEmTP5deWk7 96LhJVEy35lRYKyCqiYI6Z6CL7fLUAi4mPtQ4EvtClhLYx88FaT5AFWHnod2FAUsxGcD 5iz+ohAYcCqztp2lP3UW+P3tl0DJmCjN8KyViPw34Q8cecM1uwIm2hDZjCvyhxb/bM8I /0bQ== X-Gm-Message-State: ALKqPweQwWdkWms2iSLyE6EJoSMDMPqPgpRN9gNG5idhSu4N9D/sQda8 SSwAyce5BMaGgHWDD/nVf3i+FQ== X-Google-Smtp-Source: ADUXVKIWS5633Y9RmRi5yks1KpzFwzqcTO/25T153MRMZAnZ6sfCvqkqBJkktYT3nY+nX0lbFP7DHg== X-Received: by 2002:aca:ecd4:: with SMTP id k203-v6mr12110912oih.188.1528112794148; Mon, 04 Jun 2018 04:46:34 -0700 (PDT) Received: from shirish-ThinkPad-T400.attlocal.net (104-2-184-232.lightspeed.austtx.sbcglobal.net. [104.2.184.232]) by smtp.gmail.com with ESMTPSA id v66-v6sm11424866ota.65.2018.06.04.04.46.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 04 Jun 2018 04:46:33 -0700 (PDT) From: shirishpargaonkar@gmail.com To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, stable@vger.kernel.org, Shirish Pargaonkar , Noah Morrison Subject: [PATCH] cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class Date: Mon, 4 Jun 2018 06:46:22 -0500 Message-Id: <1528112782-13759-1-git-send-email-shirishpargaonkar@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Shirish Pargaonkar Validate_buf () function checks for an expected minimum sized response passed to query_info() function. For security information, the size of a security descriptor can be smaller (one subauthority, no ACEs) than the size of the structure that defines FileInfoClass of FileAllInformation. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199725 Cc: Signed-off-by: Shirish Pargaonkar Signed-off-by: Noah Morrison --- fs/cifs/cifsacl.h | 14 ++++++++++++++ fs/cifs/smb2pdu.c | 3 +-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h index 4f38848..dd95a6f 100644 --- a/fs/cifs/cifsacl.h +++ b/fs/cifs/cifsacl.h @@ -98,4 +98,18 @@ struct cifs_ace { struct cifs_sid sid; /* ie UUID of user or group who gets these perms */ } __attribute__((packed)); +/* + * Minimum security identifier can be one for system defined Users + * and Groups such as NULL SID and World or Built-in accounts such + * as Administrator and Guest and consists of + * Revision + Num (Sub)Auths + Authority + Domain (one Subauthority) + */ +#define MIN_SID_LEN (1 + 1 + 6 + 4) /* in bytes */ + +/* + * Minimum security descriptor can be one without any SACL and DACL and can + * consist of revision, type, and two sids of minimum size for owner and group + */ +#define MIN_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + (2 * MIN_SID_LEN)) + #endif /* _CIFSACL_H */ diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 60db51b..47538a4 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2374,8 +2374,7 @@ int SMB2_query_info(const unsigned int xid, struct cifs_tcon *tcon, return query_info(xid, tcon, persistent_fid, volatile_fid, 0, SMB2_O_INFO_SECURITY, additional_info, - SMB2_MAX_BUFFER_SIZE, - sizeof(struct smb2_file_all_info), data, plen); + SMB2_MAX_BUFFER_SIZE, MIN_SEC_DESC_LEN, data, plen); } int