| Message ID | 20220926033631.926637-2-zhangxiaoxu5@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix some bug in FSCTL_VALIDATE_NEGOTIATE_INFO handler | expand |
merged into cifs-2.6.git for-next (waiting on additional review/testing of patch 3 in the series before merging that) On Sun, Sep 25, 2022 at 9:35 PM Zhang Xiaoxu <zhangxiaoxu5@huawei.com> wrote: > > Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") > extend the dialects from 3 to 4, but forget to decrease the extended > length when specific the dialect, then the message length is larger > than expected. > > This maybe leak some info through network because not initialize the > message body. > > After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is > reduced from 28 bytes to 26 bytes. > > Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") > Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> > Cc: <stable@vger.kernel.org> > Reviewed-by: Tom Talpey <tom@talpey.com> > --- > fs/cifs/smb2pdu.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 40da444c46b4..90ccac18f9f3 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -1169,9 +1169,9 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) > pneg_inbuf->Dialects[0] = > cpu_to_le16(server->vals->protocol_id); > pneg_inbuf->DialectCount = cpu_to_le16(1); > - /* structure is big enough for 3 dialects, sending only 1 */ > + /* structure is big enough for 4 dialects, sending only 1 */ > inbuflen = sizeof(*pneg_inbuf) - > - sizeof(pneg_inbuf->Dialects[0]) * 2; > + sizeof(pneg_inbuf->Dialects[0]) * 3; > } > > rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, > -- > 2.31.1 >
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 40da444c46b4..90ccac18f9f3 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1169,9 +1169,9 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) pneg_inbuf->Dialects[0] = cpu_to_le16(server->vals->protocol_id); pneg_inbuf->DialectCount = cpu_to_le16(1); - /* structure is big enough for 3 dialects, sending only 1 */ + /* structure is big enough for 4 dialects, sending only 1 */ inbuflen = sizeof(*pneg_inbuf) - - sizeof(pneg_inbuf->Dialects[0]) * 2; + sizeof(pneg_inbuf->Dialects[0]) * 3; } rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect, then the message length is larger than expected. This maybe leak some info through network because not initialize the message body. After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is reduced from 28 bytes to 26 bytes. Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Cc: <stable@vger.kernel.org> Reviewed-by: Tom Talpey <tom@talpey.com> --- fs/cifs/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)