From patchwork Sun Apr 8 21:16:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 10328559 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3D0AF604D4 for ; Sun, 8 Apr 2018 21:17:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2098328A16 for ; Sun, 8 Apr 2018 21:17:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 14B8D28A19; Sun, 8 Apr 2018 21:17:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F62F28A17 for ; Sun, 8 Apr 2018 21:17:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752414AbeDHVRK (ORCPT ); Sun, 8 Apr 2018 17:17:10 -0400 Received: from mail-pl0-f48.google.com ([209.85.160.48]:45359 "EHLO mail-pl0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752258AbeDHVRJ (ORCPT ); Sun, 8 Apr 2018 17:17:09 -0400 Received: by mail-pl0-f48.google.com with SMTP id e22-v6so2138617plj.12 for ; Sun, 08 Apr 2018 14:17:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=QwWQ9grLadIYv0k/lNlBMko4pU0giBu4yGtkmMyeuOw=; b=UQSDUabnQr0wplfQFHY0QjKVlY9+WmEl1T4sWhIxf3DOG9hGGvjia5DX+mSk05Qu3j 3lql50xMUQA2xO5WBG3HJbqld9f8vn71P3mV/zRjiGzgTf+H5mM7KoiMcZdD9efgqtOV Q1mgG78hX9pXoFVeaQRjcO3Nzx3UOzpxevvvarBXbu74Uz9crzXhy3Sj4ZTdeMqS2/RW 00jRQkFKJxsRJYV5P5YVgG+rhIFU8NSBJsyW03dlws2B//5r2vUYjNUH2SDnJUHnXKtA qsL6vfahpFzYGRLW5FKRBVLpieJIA8qc8FwetY+pv4z92PDgQHM3B7knQJXKimSTFkY2 HZSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QwWQ9grLadIYv0k/lNlBMko4pU0giBu4yGtkmMyeuOw=; b=cxVJn+U+y7dWUqOf1aLy1Nci6i0D2OvK5jPX6Ri+r+2ZDU1NqT84TI78ebrPFuj9Ix 3WRuIv5NhcqRTZgH+qlCyQd6gLTp60SpwXfsTYuGotkMcESObvko5IUjsGhGTvyQIlMx p8Zn7aSulnfcjZrNWENHWWnBLuoUfvBE0Nl6NIUGFE8FXBlKQMmzpdbSAHJyjDGDykx6 c7hnPVPW9HVduhSRueJ8Mxo6StqThySyB2xarWfRFFvpxmf71cmi/c8/NjQc2b3s5DOq 2SG1hj3yLaGDCIIFCrMsDHoLR+AZo1s48yQB5H3RGGpGtyMkCgpn0dvlBlgR5ejLsyZ4 xYhw== X-Gm-Message-State: AElRT7EOGzdV9mRnhmYEuna9tY6g7kTqAsm4OhD3SUIy+sa84EvcDypo 6bzPUfdTLjgJbruXZalCognhX5kLIUJFsvHNjH03r/2M X-Google-Smtp-Source: AIpwx4+lWtqRWbaIxpTb/SfaG5d3Ea1kpNrvHzWwVGv6xy3+tGBv+Rbi+eQbUg7UWiliA/cnDXoZpRJV2abdRm3XCkY= X-Received: by 2002:a17:902:51ce:: with SMTP id y72-v6mr35519265plh.157.1523222228345; Sun, 08 Apr 2018 14:17:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.152.97 with HTTP; Sun, 8 Apr 2018 14:16:47 -0700 (PDT) From: Steve French Date: Sun, 8 Apr 2018 16:16:47 -0500 Message-ID: Subject: [PATCH][SMB3] Removing confusing error message by fixing buffer length checking in SMB3.11 negprot To: CIFS Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP SMB3: Fix length checking of SMB3.11 negotiate request The length checking for SMB3.11 negotiate request includes "negotiate contexts" which caused a buffer validation problem and a confusing warning message on SMB3.11 mount e.g.: SMB2 server sent bad RFC1001 len 236 not 170 Fix the length checking for SMB3.11 negotiate to account for the new negotiate context so that we don't log a warning on SMB3.11 mount. See attached Reviewed-by: Aurelien Aptel From d2b1e074a47c206a058b0e648050d986285435d7 Mon Sep 17 00:00:00 2001 From: Steve French Date: Sun, 8 Apr 2018 16:14:31 -0500 Subject: [PATCH] SMB3: Fix length checking of SMB3.11 negotiate request The length checking for SMB3.11 negotiate request includes "negotiate contexts" which caused a buffer validation problem and a confusing warning message on SMB3.11 mount e.g.: SMB2 server sent bad RFC1001 len 236 not 170 Fix the length checking for SMB3.11 negotiate to account for the new negotiate context so that we don't log a warning on SMB3.11 mount. CC: Stable Signed-off-by: Steve French --- fs/cifs/smb2misc.c | 39 +++++++++++++++++++++++++++++++++++++++ fs/cifs/smb2pdu.h | 7 +++++++ 2 files changed, 46 insertions(+) diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c index 5406e95f5d92..9df9f0b48160 100644 --- a/fs/cifs/smb2misc.c +++ b/fs/cifs/smb2misc.c @@ -93,6 +93,41 @@ static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24) }; +#ifdef CONFIG_CIFS_SMB311 +static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, __u32 non_ctxlen) +{ + __u16 neg_count; + __u32 nc_offset, size_of_pad_before_neg_ctxts; + struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr; + + /* Negotiate contexts are only valid for latest dialect SMB3.11 */ + neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount); + if ((neg_count == 0) || + (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID))) + return 0; + + /* Make sure that negotiate contexts start after gss security blob */ + nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); + if (nc_offset < non_ctxlen - 4 /* RFC1001 len field */) { + printk_once(KERN_WARNING "invalid negotiate context offset\n"); + return 0; + } + size_of_pad_before_neg_ctxts = nc_offset - (non_ctxlen - 4); + + /* Verify that at least minimal negotiate contexts fit within frame */ + if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { + printk_once(KERN_WARNING "negotiate context goes beyond end\n"); + return 0; + } + + cifs_dbg(FYI, "length of negcontexts %d pad %d\n", + len - nc_offset, size_of_pad_before_neg_ctxts); + + /* length of negcontexts including pad from end of sec blob to them */ + return (len - nc_offset) + size_of_pad_before_neg_ctxts; +} +#endif /* CIFS_SMB311 */ + int smb2_check_message(char *buf, unsigned int length, struct TCP_Server_Info *srvr) { @@ -198,6 +233,10 @@ smb2_check_message(char *buf, unsigned int length, struct TCP_Server_Info *srvr) clc_len = smb2_calc_size(hdr); +#ifdef CONFIG_CIFS_SMB311 + if (shdr->Command == SMB2_NEGOTIATE) + clc_len += get_neg_ctxt_len(hdr, len, clc_len); +#endif /* SMB311 */ if (srvr->vals->header_preamble_size + len != clc_len) { cifs_dbg(FYI, "Calculated size %u length %zu mismatch mid %llu\n", clc_len, srvr->vals->header_preamble_size + len, mid); diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h index 253e2c7c952f..0e0a0af89e4d 100644 --- a/fs/cifs/smb2pdu.h +++ b/fs/cifs/smb2pdu.h @@ -263,6 +263,13 @@ struct smb2_negotiate_req { #define SMB2_NT_FIND 0x00100000 #define SMB2_LARGE_FILES 0x00200000 +struct smb2_neg_context { + __le16 ContextType; + __le16 DataLength; + __le32 Reserved; + /* Followed by array of data */ +} __packed; + #define SMB311_SALT_SIZE 32 /* Hash Algorithm Types */ #define SMB2_PREAUTH_INTEGRITY_SHA512 cpu_to_le16(0x0001) -- 2.14.1