| Message ID | 20211005050343.268514-6-slow@samba.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Buffer validation and compound handling patches | expand |
2021-10-05 14:03 GMT+09:00, Ralph Boehme <slow@samba.org>: > smb2_validate_credit_charge() accesses fields in the SMB2 PDU body, but > until > smb2_calc_size() is called the PDU has not yet been verified to be large > enough > to access the PDU dynamic part length field. > > Signed-off-by: Ralph Boehme <slow@samba.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Thanks for your work!
diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 50521b5a50b5..1f14120a0e48 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -373,12 +373,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } } - if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && - smb2_validate_credit_charge(hdr)) { - work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); - return 1; - } - if (smb2_calc_size(hdr, &clc_len)) return 1; @@ -416,6 +410,12 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && + smb2_validate_credit_charge(hdr)) { + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return 1; + } + return 0; }
smb2_validate_credit_charge() accesses fields in the SMB2 PDU body, but until smb2_calc_size() is called the PDU has not yet been verified to be large enough to access the PDU dynamic part length field. Signed-off-by: Ralph Boehme <slow@samba.org> --- fs/ksmbd/smb2misc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)