From patchwork Tue Sep 13 10:40:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhang Xiaoxu X-Patchwork-Id: 12974624 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 050C1C6FA8B for ; Tue, 13 Sep 2022 09:40:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231495AbiIMJkO (ORCPT ); Tue, 13 Sep 2022 05:40:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231748AbiIMJkH (ORCPT ); Tue, 13 Sep 2022 05:40:07 -0400 Received: from dggsgout12.his.huawei.com (dggsgout12.his.huawei.com [45.249.212.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7D27101C0 for ; Tue, 13 Sep 2022 02:40:04 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout12.his.huawei.com (SkyGuard) with ESMTP id 4MRdgQ6dhvz6PfVP for ; Tue, 13 Sep 2022 17:38:10 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.104.170]) by APP2 (Coremail) with SMTP id Syh0CgC3VW_uTyBjIj4hAw--.48825S7; Tue, 13 Sep 2022 17:40:02 +0800 (CST) From: Zhang Xiaoxu To: linux-cifs@vger.kernel.org, zhangxiaoxu5@huawei.com, sfrench@samba.org, pc@cjr.nz, lsahlber@redhat.com, sprasad@microsoft.com, rohiths@microsoft.com, smfrench@gmail.com, tom@talpey.com, linkinjeon@kernel.org, hyc.lee@gmail.com Subject: [PATCH v5 3/5] ksmbd: Fix FSCTL_VALIDATE_NEGOTIATE_INFO message length check in smb2_ioctl() Date: Tue, 13 Sep 2022 18:40:57 +0800 Message-Id: <20220913104059.2545304-4-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220913104059.2545304-1-zhangxiaoxu5@huawei.com> References: <20220913104059.2545304-1-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 X-CM-TRANSID: Syh0CgC3VW_uTyBjIj4hAw--.48825S7 X-Coremail-Antispam: 1UD129KBjvdXoWrtrWxXryrKw1kAr4rXFyxKrg_yoWfJwb_GF WrAa1xXa4UJF4xJw1DJF40qFn8Xw4rGr1rWF48tFWDJa9rJr93Z3saqa97try2ka15Gr48 u3s0g3WDurW2gjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbqkYFVCjjxCrM7AC8VAFwI0_Wr0E3s1l1xkIjI8I6I8E6xAIw20E Y4v20xvaj40_JFC_Wr1l1IIY67AEw4v_Jr0_Jr4l82xGYIkIc2x26280x7IE14v26r1rM2 8IrcIa0xkI8VCY1x0267AKxVW5JVCq3wA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK 021l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r 4UJVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_ GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY0x0EwI xGrwCF04k20xvEw4C26cxK6c8Ij28IcwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02 F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GF ylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r 1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UQ iSdUUUUU= Sender: zhangxiaoxu@huaweicloud.com X-CM-SenderInfo: x2kd0wp0ld053x6k3tpzhluzxrxghudrp/ X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org The structure size includes 4 dialect slots, but the protocol does not require the client to send all 4. So this allows the negotiation to not fail. Fixes: c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") Signed-off-by: Zhang Xiaoxu Cc: --- fs/ksmbd/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b56d7688ccf1..09ae601e64f9 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7640,7 +7640,8 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) { + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { ret = -EINVAL; goto out; }