| Message ID | 20190921112600.utzouyddp3cdmxhe@XZHOUW.usersys.redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | CIFS: fix max ea value size | expand |
"Murphy Zhou" <jencce.kernel@gmail.com> writes: > It should not be larger then the slab max buf size. If user > specifies a larger size, it passes this check and goes > straightly to SMB2_set_info_init performing an insecure memcpy. It's even smaller than that as CIFSMaxBufSize is the max size for the whole packet IIRC. The EA payload needs to fit into that. So it should be CIFSMaxBufSize-(largest SMB2 header size + Set EA initial header). And if we set multiple EA at the same time it has to be divided by the number of EAs etc... Cheers,
On Sat, Sep 21, 2019 at 08:23:32PM +0200, Aurélien Aptel wrote: > "Murphy Zhou" <jencce.kernel@gmail.com> writes: > > It should not be larger then the slab max buf size. If user > > specifies a larger size, it passes this check and goes > > straightly to SMB2_set_info_init performing an insecure memcpy. > > It's even smaller than that as CIFSMaxBufSize is the max size for the > whole packet IIRC. The EA payload needs to fit into that. So it should > be CIFSMaxBufSize-(largest SMB2 header size + Set EA initial header). No need. Slab size includes the bufzise and the header size. > And if we set multiple EA at the same time it has to be divided > by the number of EAs etc... They will be handled separately and slab will work well. > > Cheers, > -- > Aurélien Aptel / SUSE Labs Samba Team > GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE > GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
Your patch looks correct - added cc:stable and merged to cifs-2.6.git for-next On Sun, Sep 22, 2019 at 2:23 PM Murphy Zhou <jencce.kernel@gmail.com> wrote: > > On Sat, Sep 21, 2019 at 08:23:32PM +0200, Aurélien Aptel wrote: > > "Murphy Zhou" <jencce.kernel@gmail.com> writes: > > > It should not be larger then the slab max buf size. If user > > > specifies a larger size, it passes this check and goes > > > straightly to SMB2_set_info_init performing an insecure memcpy. > > > > It's even smaller than that as CIFSMaxBufSize is the max size for the > > whole packet IIRC. The EA payload needs to fit into that. So it should > > be CIFSMaxBufSize-(largest SMB2 header size + Set EA initial header). > > No need. Slab size includes the bufzise and the header size. > > > And if we set multiple EA at the same time it has to be divided > > by the number of EAs etc... > > They will be handled separately and slab will work well. > > > > > Cheers, > > -- > > Aurélien Aptel / SUSE Labs Samba Team > > GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 > > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE > > GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
"Murphy Zhou" <jencce.kernel@gmail.com> writes: > No need. Slab size includes the bufzise and the header size. > >> And if we set multiple EA at the same time it has to be divided >> by the number of EAs etc... > > They will be handled separately and slab will work well. Oh, you are right, I have no more remarks then. We reviewed this with steve. Thanks
diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c index 9076150758d8..db4ba8f6077e 100644 --- a/fs/cifs/xattr.c +++ b/fs/cifs/xattr.c @@ -31,7 +31,7 @@ #include "cifs_fs_sb.h" #include "cifs_unicode.h" -#define MAX_EA_VALUE_SIZE 65535 +#define MAX_EA_VALUE_SIZE CIFSMaxBufSize #define CIFS_XATTR_CIFS_ACL "system.cifs_acl" #define CIFS_XATTR_ATTRIB "cifs.dosattrib" /* full name: user.cifs.dosattrib */ #define CIFS_XATTR_CREATETIME "cifs.creationtime" /* user.cifs.creationtime */
It should not be larger then the slab max buf size. If user specifies a larger size, it passes this check and goes straightly to SMB2_set_info_init performing an insecure memcpy. Signed-off-by: Murphy Zhou <jencce.kernel@gmail.com> --- fs/cifs/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)