From patchwork Fri Oct 1 12:04:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530413 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B8C8C433F5 for ; Fri, 1 Oct 2021 12:05:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6612A61A85 for ; Fri, 1 Oct 2021 12:05:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354279AbhJAMHS (ORCPT ); Fri, 1 Oct 2021 08:07:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48616 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354260AbhJAMHS (ORCPT ); Fri, 1 Oct 2021 08:07:18 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31C60C061775 for ; Fri, 1 Oct 2021 05:05:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=0wG96b4CKA2dsAk/FrmfxEHkdb05j2n9a3MKTC2204s=; b=3VNnWHTfDcbEfpXvet3Xx4W4Cb BtTyTmCUoC09Fap64tV/kNIRG6kSFsX9pS9IAVR9x6De11cOWMtH0K9hbM7nBS/SJdLm3IcEbsZGO n9Sv4Rgl7yBsaQQUoEFGlcyyUM2Pw5Eh+M1dPkr/qsnUD206ZL67V0qpqEIK1QDNKEIugzooxZQDs qjX+TIqtKMYrsXXtBKvIaan5pE2YO4vFyUAtATat5YlggUJCSJoM/E0ELtIDN6AAFJWxGikja7Zkr 73JTdWVWwgljywuAD7MLdZi5TIfB05A9a0Kw9z3ZHE8mPRzCJfYWyGvFgJcEZoS0474Utncmb0NmT GiHEjrxFJ/lFSRX3+LQGsKgadZlJ8OznovZn58kDfzXn9dlGMliLaArUAYRpH02TAAZMX8H/R4byc buylB0b3nILBpmFeVQhPmQrdjzhScIntNyVL8EuJ57aD7qMIVbZ9UmiklPRMeRHxEFbzohdUHpdDK q2TIU47AhVYrpxrd3i5fAwHm; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIB-0013Z3-Gh; Fri, 01 Oct 2021 12:05:31 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v5 01/20] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Date: Fri, 1 Oct 2021 14:04:02 +0200 Message-Id: <20211001120421.327245-2-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon This patch add MAX_STREAM_PROT_LEN macro and check if stream protocol length exceeds maximum value. opencode pdu size check in ksmbd_pdu_size_has_room(). Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/connection.c | 9 +++++---- fs/ksmbd/smb_common.c | 6 ------ fs/ksmbd/smb_common.h | 4 ++-- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index af086d35398a..e50353c50661 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -296,10 +296,11 @@ int ksmbd_conn_handler_loop(void *p) pdu_size = get_rfc1002_len(hdr_buf); ksmbd_debug(CONN, "RFC1002 header %u bytes\n", pdu_size); - /* make sure we have enough to get to SMB header end */ - if (!ksmbd_pdu_size_has_room(pdu_size)) { - ksmbd_debug(CONN, "SMB request too short (%u bytes)\n", - pdu_size); + /* + * Check if pdu size is valid (min : smb header size, + * max : 0x00FFFFFF). + */ + if (pdu_size > MAX_STREAM_PROT_LEN) { continue; } diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 5901b2884c60..20bd5b8e3c0a 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -21,7 +21,6 @@ static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; #define MAGIC_CHAR '~' #define PERIOD '.' #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) -#define KSMBD_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr)) struct smb_protocol { int index; @@ -272,11 +271,6 @@ int ksmbd_init_smb_server(struct ksmbd_work *work) return 0; } -bool ksmbd_pdu_size_has_room(unsigned int pdu) -{ - return (pdu >= KSMBD_MIN_SUPPORTED_HEADER_SIZE - 4); -} - int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, struct ksmbd_file *dir, struct ksmbd_dir_info *d_info, diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 994abede27e9..6e79e7577f6b 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -48,6 +48,8 @@ #define CIFS_DEFAULT_IOSIZE (64 * 1024) #define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ +#define MAX_STREAM_PROT_LEN 0x00FFFFFF + /* Responses when opening a file. */ #define F_SUPERSEDED 0 #define F_OPENED 1 @@ -493,8 +495,6 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); int ksmbd_init_smb_server(struct ksmbd_work *work); -bool ksmbd_pdu_size_has_room(unsigned int pdu); - struct ksmbd_kstat; int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, From patchwork Fri Oct 1 12:04:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530415 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF59EC433EF for ; Fri, 1 Oct 2021 12:05:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D270B610EA for ; Fri, 1 Oct 2021 12:05:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354278AbhJAMH1 (ORCPT ); Fri, 1 Oct 2021 08:07:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354129AbhJAMH0 (ORCPT ); Fri, 1 Oct 2021 08:07:26 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A903AC061775 for ; Fri, 1 Oct 2021 05:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=/FHRVLTeW1nMdXHIDjbw868I+xrSz/jHnJrpZ94UKDo=; b=NEoR/cN3BNYT8JVe7d+cjDo2zo +wbLrgA4clNszCmkNheNDBK7kjSDzxvA2LM3FTSSvp2m2sraWNYy/8UwnTcanjMV86Uypzt6ESxHS SNNOfZBRrTRVSHpTH4KNZtUCgxdsRMkWItm2iDBi7ZFoWUOGrDdvWp9R2wCatsxTe01jyOgIplcF7 iGq0o+BM8/JDxnQ9vcC62G8fd/HbcNmvvhYfLKcvHsXcR3mGuQ86SAxUCyY+sodj86wGFeVvbqCw0 uBVrZ9AZbUIJ0k1nH9/6lTjnCmI3hZqgGP6jXJJPiRIS/jsCxxZJafpUuS/zypyE1n4/rMySlbLh6 r0cxXSb78fywRYdrfdyRjloDi43xmGc064Q7tggXneN4KbhiK5Krru3FubbF4N0eZgw7xf/LIZJmC bVmOTiuskU2Hl21gSK2eZ+eV4xvqAOAExqJsx39L71+ug3FcdG6rvFWjn+pBtdn8p6kd+456nqTQT UokpGGpq5rHPTMbKgATXC8OY; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIK-0013Z3-N4; Fri, 01 Oct 2021 12:05:40 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v5 02/20] ksmbd: add validation in smb2_ioctl Date: Fri, 1 Oct 2021 14:04:03 +0200 Message-Id: <20211001120421.327245-3-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Add validation for request/response buffer size check in smb2_ioctl and fsctl_copychunk() take copychunk_ioctl_req pointer and the other arguments instead of smb2_ioctl_req structure and remove an unused smb2_ioctl_req argument of fsctl_validate_negotiate_info. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2pdu.c | 105 ++++++++++++++++++++++++++++++++++----------- fs/ksmbd/vfs.c | 2 +- fs/ksmbd/vfs.h | 2 +- 3 files changed, 83 insertions(+), 26 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index cea376b2dd8f..9c0878862820 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6918,24 +6918,26 @@ int smb2_lock(struct ksmbd_work *work) return err; } -static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, +static int fsctl_copychunk(struct ksmbd_work *work, + struct copychunk_ioctl_req *ci_req, + unsigned int cnt_code, + unsigned int input_count, + unsigned long long volatile_id, + unsigned long long persistent_id, struct smb2_ioctl_rsp *rsp) { - struct copychunk_ioctl_req *ci_req; struct copychunk_ioctl_rsp *ci_rsp; struct ksmbd_file *src_fp = NULL, *dst_fp = NULL; struct srv_copychunk *chunks; unsigned int i, chunk_count, chunk_count_written = 0; unsigned int chunk_size_written = 0; loff_t total_size_written = 0; - int ret, cnt_code; + int ret = 0; - cnt_code = le32_to_cpu(req->CntCode); - ci_req = (struct copychunk_ioctl_req *)&req->Buffer[0]; ci_rsp = (struct copychunk_ioctl_rsp *)&rsp->Buffer[0]; - rsp->VolatileFileId = req->VolatileFileId; - rsp->PersistentFileId = req->PersistentFileId; + rsp->VolatileFileId = cpu_to_le64(volatile_id); + rsp->PersistentFileId = cpu_to_le64(persistent_id); ci_rsp->ChunksWritten = cpu_to_le32(ksmbd_server_side_copy_max_chunk_count()); ci_rsp->ChunkBytesWritten = @@ -6945,12 +6947,13 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; chunk_count = le32_to_cpu(ci_req->ChunkCount); + if (chunk_count == 0) + goto out; total_size_written = 0; /* verify the SRV_COPYCHUNK_COPY packet */ if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || - le32_to_cpu(req->InputCount) < - offsetof(struct copychunk_ioctl_req, Chunks) + + input_count < offsetof(struct copychunk_ioctl_req, Chunks) + chunk_count * sizeof(struct srv_copychunk)) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; return -EINVAL; @@ -6971,9 +6974,7 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, src_fp = ksmbd_lookup_foreign_fd(work, le64_to_cpu(ci_req->ResumeKey[0])); - dst_fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + dst_fp = ksmbd_lookup_fd_slow(work, volatile_id, persistent_id); ret = -EINVAL; if (!src_fp || src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) { @@ -7048,11 +7049,11 @@ static __be32 idev_ipv4_address(struct in_device *idev) } static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, - struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) + struct smb2_ioctl_rsp *rsp, + unsigned int out_buf_len) { struct network_interface_info_ioctl_rsp *nii_rsp = NULL; - int nbytes = 0; + unsigned int nbytes = 0; struct net_device *netdev; struct sockaddr_storage_rsp *sockaddr_storage; unsigned int flags; @@ -7061,6 +7062,10 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, rtnl_lock(); for_each_netdev(&init_net, netdev) { + if (out_buf_len < + nbytes + sizeof(struct network_interface_info_ioctl_rsp)) + break; + if (netdev->type == ARPHRD_LOOPBACK) continue; @@ -7132,6 +7137,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, sockaddr_storage->addr6.ScopeId = 0; } + if (out_buf_len - nbytes < sizeof(struct network_interface_info_ioctl_rsp)) + break; nbytes += sizeof(struct network_interface_info_ioctl_rsp); } rtnl_unlock(); @@ -7152,11 +7159,16 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, struct validate_negotiate_info_req *neg_req, - struct validate_negotiate_info_rsp *neg_rsp) + struct validate_negotiate_info_rsp *neg_rsp, + unsigned int in_buf_len) { int ret = 0; int dialect; + if (in_buf_len < sizeof(struct validate_negotiate_info_req) + + le16_to_cpu(neg_req->DialectCount) * sizeof(__le16)) + return -EINVAL; + dialect = ksmbd_lookup_dialect_by_id(neg_req->Dialects, neg_req->DialectCount); if (dialect == BAD_PROT_ID || dialect != conn->dialect) { @@ -7190,7 +7202,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, struct file_allocated_range_buffer *qar_req, struct file_allocated_range_buffer *qar_rsp, - int in_count, int *out_count) + unsigned int in_count, unsigned int *out_count) { struct ksmbd_file *fp; loff_t start, length; @@ -7217,7 +7229,8 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, } static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, - int out_buf_len, struct smb2_ioctl_req *req, + unsigned int out_buf_len, + struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) { struct ksmbd_rpc_command *rpc_resp; @@ -7331,8 +7344,7 @@ int smb2_ioctl(struct ksmbd_work *work) { struct smb2_ioctl_req *req; struct smb2_ioctl_rsp *rsp, *rsp_org; - int cnt_code, nbytes = 0; - int out_buf_len; + unsigned int cnt_code, nbytes = 0, out_buf_len, in_buf_len; u64 id = KSMBD_NO_FID; struct ksmbd_conn *conn = work->conn; int ret = 0; @@ -7361,7 +7373,11 @@ int smb2_ioctl(struct ksmbd_work *work) cnt_code = le32_to_cpu(req->CntCode); out_buf_len = le32_to_cpu(req->MaxOutputResponse); - out_buf_len = min(KSMBD_IPC_MAX_PAYLOAD, out_buf_len); + out_buf_len = + min_t(u32, work->response_sz - work->next_smb2_rsp_hdr_off - + (offsetof(struct smb2_ioctl_rsp, Buffer) - 4), + out_buf_len); + in_buf_len = le32_to_cpu(req->InputCount); switch (cnt_code) { case FSCTL_DFS_GET_REFERRALS: @@ -7389,6 +7405,7 @@ int smb2_ioctl(struct ksmbd_work *work) break; } case FSCTL_PIPE_TRANSCEIVE: + out_buf_len = min_t(u32, KSMBD_IPC_MAX_PAYLOAD, out_buf_len); nbytes = fsctl_pipe_transceive(work, id, out_buf_len, req, rsp); break; case FSCTL_VALIDATE_NEGOTIATE_INFO: @@ -7397,9 +7414,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct validate_negotiate_info_req)) + return -EINVAL; + + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) + return -EINVAL; + ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0], - (struct validate_negotiate_info_rsp *)&rsp->Buffer[0]); + (struct validate_negotiate_info_rsp *)&rsp->Buffer[0], + in_buf_len); if (ret < 0) goto out; @@ -7408,7 +7432,7 @@ int smb2_ioctl(struct ksmbd_work *work) rsp->VolatileFileId = cpu_to_le64(SMB2_NO_FID); break; case FSCTL_QUERY_NETWORK_INTERFACE_INFO: - nbytes = fsctl_query_iface_info_ioctl(conn, req, rsp); + nbytes = fsctl_query_iface_info_ioctl(conn, rsp, out_buf_len); if (nbytes < 0) goto out; break; @@ -7435,15 +7459,33 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct copychunk_ioctl_req)) { + ret = -EINVAL; + goto out; + } + if (out_buf_len < sizeof(struct copychunk_ioctl_rsp)) { ret = -EINVAL; goto out; } nbytes = sizeof(struct copychunk_ioctl_rsp); - fsctl_copychunk(work, req, rsp); + rsp->VolatileFileId = req->VolatileFileId; + rsp->PersistentFileId = req->PersistentFileId; + fsctl_copychunk(work, + (struct copychunk_ioctl_req *)&req->Buffer[0], + le32_to_cpu(req->CntCode), + le32_to_cpu(req->InputCount), + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId), + rsp); break; case FSCTL_SET_SPARSE: + if (in_buf_len < sizeof(struct file_sparse)) { + ret = -EINVAL; + goto out; + } + ret = fsctl_set_sparse(work, id, (struct file_sparse *)&req->Buffer[0]); if (ret < 0) @@ -7462,6 +7504,11 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct file_zero_data_information)) { + ret = -EINVAL; + goto out; + } + zero_data = (struct file_zero_data_information *)&req->Buffer[0]; @@ -7481,6 +7528,11 @@ int smb2_ioctl(struct ksmbd_work *work) break; } case FSCTL_QUERY_ALLOCATED_RANGES: + if (in_buf_len < sizeof(struct file_allocated_range_buffer)) { + ret = -EINVAL; + goto out; + } + ret = fsctl_query_allocated_ranges(work, id, (struct file_allocated_range_buffer *)&req->Buffer[0], (struct file_allocated_range_buffer *)&rsp->Buffer[0], @@ -7521,6 +7573,11 @@ int smb2_ioctl(struct ksmbd_work *work) struct duplicate_extents_to_file *dup_ext; loff_t src_off, dst_off, length, cloned; + if (in_buf_len < sizeof(struct duplicate_extents_to_file)) { + ret = -EINVAL; + goto out; + } + dup_ext = (struct duplicate_extents_to_file *)&req->Buffer[0]; fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle, diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index b41954294d38..835b384b0895 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1023,7 +1023,7 @@ int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, - int in_count, int *out_count) + unsigned int in_count, unsigned int *out_count) { struct file *f = fp->filp; struct inode *inode = file_inode(fp->filp); diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index 7b1dcaa3fbdc..b0d5b8feb4a3 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -166,7 +166,7 @@ int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, struct file_allocated_range_buffer; int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, - int in_count, int *out_count); + unsigned int in_count, unsigned int *out_count); int ksmbd_vfs_unlink(struct user_namespace *user_ns, struct dentry *dir, struct dentry *dentry); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); From patchwork Fri Oct 1 12:04:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530511 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFFFCC433FE for ; Fri, 1 Oct 2021 12:25:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B1C4661A55 for ; Fri, 1 Oct 2021 12:25:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354234AbhJAM1E (ORCPT ); Fri, 1 Oct 2021 08:27:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354364AbhJAM1C (ORCPT ); Fri, 1 Oct 2021 08:27:02 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71A29C06177C for ; Fri, 1 Oct 2021 05:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=BBoHhSN5DUV/pw1fVGReAjPvezm7csgon7Kx/33ma/c=; b=0/eeiiiKzEihDk3lT1nd7lXd+q pq8P3YR7IKmAajt24/211jU1RCTv/f0mQYFiuFF4wQc9r2PrrJcOYk7jgNWFTdVTPJ4lqLFAkJqcT qvxuXfJ95mvItdblVWuRBKfClr98+AV33gd1TwSs1U24ZcGEg/NNbx/cHmXm2ndNdZJ5gGQU8mQ3N L8A/st3oxCFj2179L87wldUrnHFIhE1CyiIdupltuW/L0k6Qgz9Y1iptcAl4Jc5CBQfraKqSJcDTw Xa9qqxSR+jPfn3vpxWzsjANqSSLnB+vzfOAhZFGCQzPuqdvqVxnqmpZlnHJFEROjxcx9SpWk3m2VW YERpT0mBelep4kmmTo5ZNE0IDMgElqEVyn7MK9BBYtxgfefOmSwHn1660DOWQ0+Ejp6TlRVuNJon1 KcoCjgVVZGKmiM/L65I/GNL0FLfkl66XSQy0V/MiBu1EC7379lY3NzBMeEeeBtA4ftNmz6xpOyrjL K1CdhkKsevQENeQrY61RX7pA; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIM-0013Z3-5E; Fri, 01 Oct 2021 12:05:42 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Ralph Boehme Subject: [PATCH v5 03/20] ksmbd: use correct basic info level in set_file_basic_info() Date: Fri, 1 Oct 2021 14:04:04 +0200 Message-Id: <20211001120421.327245-4-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Use correct basic info level in set/get_file_basic_info(). Reviewed-by: Ralph Boehme Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2pdu.c | 13 ++++++------- fs/ksmbd/smb2pdu.h | 9 +++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 9c0878862820..d874813aca90 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -4161,7 +4161,7 @@ static void get_file_access_info(struct smb2_query_info_rsp *rsp, static int get_file_basic_info(struct smb2_query_info_rsp *rsp, struct ksmbd_file *fp, void *rsp_org) { - struct smb2_file_all_info *basic_info; + struct smb2_file_basic_info *basic_info; struct kstat stat; u64 time; @@ -4171,7 +4171,7 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, return -EACCES; } - basic_info = (struct smb2_file_all_info *)rsp->Buffer; + basic_info = (struct smb2_file_basic_info *)rsp->Buffer; generic_fillattr(file_mnt_user_ns(fp->filp), file_inode(fp->filp), &stat); basic_info->CreationTime = cpu_to_le64(fp->create_time); @@ -4184,9 +4184,8 @@ static int get_file_basic_info(struct smb2_query_info_rsp *rsp, basic_info->Attributes = fp->f_ci->m_fattr; basic_info->Pad1 = 0; rsp->OutputBufferLength = - cpu_to_le32(offsetof(struct smb2_file_all_info, AllocationSize)); - inc_rfc1001_len(rsp_org, offsetof(struct smb2_file_all_info, - AllocationSize)); + cpu_to_le32(sizeof(struct smb2_file_basic_info)); + inc_rfc1001_len(rsp_org, sizeof(struct smb2_file_basic_info)); return 0; } @@ -5412,7 +5411,7 @@ static int smb2_create_link(struct ksmbd_work *work, static int set_file_basic_info(struct ksmbd_file *fp, char *buf, struct ksmbd_share_config *share) { - struct smb2_file_all_info *file_info; + struct smb2_file_basic_info *file_info; struct iattr attrs; struct timespec64 ctime; struct file *filp; @@ -5423,7 +5422,7 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (!(fp->daccess & FILE_WRITE_ATTRIBUTES_LE)) return -EACCES; - file_info = (struct smb2_file_all_info *)buf; + file_info = (struct smb2_file_basic_info *)buf; attrs.ia_valid = 0; filp = fp->filp; inode = file_inode(filp); diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index bcec845b03f3..261825d06391 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1464,6 +1464,15 @@ struct smb2_file_all_info { /* data block encoding of response to level 18 */ char FileName[1]; } __packed; /* level 18 Query */ +struct smb2_file_basic_info { /* data block encoding of response to level 18 */ + __le64 CreationTime; /* Beginning of FILE_BASIC_INFO equivalent */ + __le64 LastAccessTime; + __le64 LastWriteTime; + __le64 ChangeTime; + __le32 Attributes; + __u32 Pad1; /* End of FILE_BASIC_INFO_INFO equivalent */ +} __packed; + struct smb2_file_alt_name_info { __le32 FileNameLength; char FileName[0]; From patchwork Fri Oct 1 12:04:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530417 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E5E9C433EF for ; Fri, 1 Oct 2021 12:05:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5913561A85 for ; Fri, 1 Oct 2021 12:05:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354260AbhJAMH3 (ORCPT ); Fri, 1 Oct 2021 08:07:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354266AbhJAMH3 (ORCPT ); Fri, 1 Oct 2021 08:07:29 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F237EC06177B for ; Fri, 1 Oct 2021 05:05:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=L5J152NsDPj8rHslOoZsozuhJ9u+zWmlPEaR1zIivgo=; b=UEUzR9Pl9CY+/YjlRRpvmcf+CT JnXuFbFGPp+FjIo0450sqN/eBvExMFl/jvSRTqNzCYPpB3RjNFHOuWlNFAqKYcM7+JopWRgRhFJ1R VaMW5OJ5jE3HejAhRaQErBnqNCfpKDKGEC4kGHAxdQvwH1eTmuqAkFsSLcri5nT/MfNPGq16Mm0kG gCN+32J5uDMzMJFdOGnEvMBdaaovizjpVp4f136cqCu/VDeDyNFfcjPmuMXUrurFCF388UWy/Pjq6 lhWruwdl/+n8ezr3F9kdHmQOj10PBGN5n/v4i3Pg4EXmN1EefgRUq3Le3wX9DzvFNdH2Kj4/hvdv5 UqcgitLElaGiW9OSCBHgyvEyRUoFZCgBjaPsg0fI7yXhi0LW8FgHMhZ4GJn99cOLDeK2DLi61kgnz SpAxANl4AVn3ePRHryXXmUvc0/DPCD2gno4WEFOqesG8bULyxoTzXfsQ9ek8VuXw4UOfPGQ546xew qn+zSX6OxOMXAbp/lOzpoQhg; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIM-0013Z3-QZ; Fri, 01 Oct 2021 12:05:42 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v5 04/20] ksmbd: add request buffer validation in smb2_set_info Date: Fri, 1 Oct 2021 14:04:05 +0200 Message-Id: <20211001120421.327245-5-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Add buffer validation in smb2_set_info, and remove unused variable in set_file_basic_info. and smb2_set_info infolevel functions take structure pointer argument. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Reviewed-by: Ralph Boehme Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2pdu.c | 149 ++++++++++++++++++++++++++++++++------------- 1 file changed, 107 insertions(+), 42 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index d874813aca90..c434390ffcae 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2102,16 +2102,22 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) * smb2_set_ea() - handler for setting extended attributes using set * info command * @eabuf: set info command buffer + * @buf_len: set info command buffer length * @path: dentry path for get ea * * Return: 0 on success, otherwise error */ -static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) +static int smb2_set_ea(struct smb2_ea_info *eabuf, unsigned int buf_len, + struct path *path) { struct user_namespace *user_ns = mnt_user_ns(path->mnt); char *attr_name = NULL, *value; int rc = 0; - int next = 0; + unsigned int next = 0; + + if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + + le16_to_cpu(eabuf->EaValueLength)) + return -EINVAL; attr_name = kmalloc(XATTR_NAME_MAX + 1, GFP_KERNEL); if (!attr_name) @@ -2176,7 +2182,13 @@ static int smb2_set_ea(struct smb2_ea_info *eabuf, struct path *path) next: next = le32_to_cpu(eabuf->NextEntryOffset); + if (next == 0 || buf_len < next) + break; + buf_len -= next; eabuf = (struct smb2_ea_info *)((char *)eabuf + next); + if (next < (u32)eabuf->EaNameLength + le16_to_cpu(eabuf->EaValueLength)) + break; + } while (next != 0); kfree(attr_name); @@ -2757,7 +2769,15 @@ int smb2_open(struct ksmbd_work *work) created = true; user_ns = mnt_user_ns(path.mnt); if (ea_buf) { - rc = smb2_set_ea(&ea_buf->ea, &path); + if (le32_to_cpu(ea_buf->ccontext.DataLength) < + sizeof(struct smb2_ea_info)) { + rc = -EINVAL; + goto err_out; + } + + rc = smb2_set_ea(&ea_buf->ea, + le32_to_cpu(ea_buf->ccontext.DataLength), + &path); if (rc == -EOPNOTSUPP) rc = 0; else if (rc) @@ -5341,7 +5361,7 @@ static int smb2_rename(struct ksmbd_work *work, static int smb2_create_link(struct ksmbd_work *work, struct ksmbd_share_config *share, struct smb2_file_link_info *file_info, - struct file *filp, + unsigned int buf_len, struct file *filp, struct nls_table *local_nls) { char *link_name = NULL, *target_name = NULL, *pathname = NULL; @@ -5349,6 +5369,10 @@ static int smb2_create_link(struct ksmbd_work *work, bool file_present = true; int rc; + if (buf_len < (u64)sizeof(struct smb2_file_link_info) + + le32_to_cpu(file_info->FileNameLength)) + return -EINVAL; + ksmbd_debug(SMB, "setting FILE_LINK_INFORMATION\n"); pathname = kmalloc(PATH_MAX, GFP_KERNEL); if (!pathname) @@ -5408,10 +5432,10 @@ static int smb2_create_link(struct ksmbd_work *work, return rc; } -static int set_file_basic_info(struct ksmbd_file *fp, char *buf, +static int set_file_basic_info(struct ksmbd_file *fp, + struct smb2_file_basic_info *file_info, struct ksmbd_share_config *share) { - struct smb2_file_basic_info *file_info; struct iattr attrs; struct timespec64 ctime; struct file *filp; @@ -5422,7 +5446,6 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, if (!(fp->daccess & FILE_WRITE_ATTRIBUTES_LE)) return -EACCES; - file_info = (struct smb2_file_basic_info *)buf; attrs.ia_valid = 0; filp = fp->filp; inode = file_inode(filp); @@ -5499,7 +5522,8 @@ static int set_file_basic_info(struct ksmbd_file *fp, char *buf, } static int set_file_allocation_info(struct ksmbd_work *work, - struct ksmbd_file *fp, char *buf) + struct ksmbd_file *fp, + struct smb2_file_alloc_info *file_alloc_info) { /* * TODO : It's working fine only when store dos attributes @@ -5507,7 +5531,6 @@ static int set_file_allocation_info(struct ksmbd_work *work, * properly with any smb.conf option */ - struct smb2_file_alloc_info *file_alloc_info; loff_t alloc_blks; struct inode *inode; int rc; @@ -5515,7 +5538,6 @@ static int set_file_allocation_info(struct ksmbd_work *work, if (!(fp->daccess & FILE_WRITE_DATA_LE)) return -EACCES; - file_alloc_info = (struct smb2_file_alloc_info *)buf; alloc_blks = (le64_to_cpu(file_alloc_info->AllocationSize) + 511) >> 9; inode = file_inode(fp->filp); @@ -5551,9 +5573,8 @@ static int set_file_allocation_info(struct ksmbd_work *work, } static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf) + struct smb2_file_eof_info *file_eof_info) { - struct smb2_file_eof_info *file_eof_info; loff_t newsize; struct inode *inode; int rc; @@ -5561,7 +5582,6 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, if (!(fp->daccess & FILE_WRITE_DATA_LE)) return -EACCES; - file_eof_info = (struct smb2_file_eof_info *)buf; newsize = le64_to_cpu(file_eof_info->EndOfFile); inode = file_inode(fp->filp); @@ -5588,7 +5608,8 @@ static int set_end_of_file_info(struct ksmbd_work *work, struct ksmbd_file *fp, } static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, - char *buf) + struct smb2_file_rename_info *rename_info, + unsigned int buf_len) { struct user_namespace *user_ns; struct ksmbd_file *parent_fp; @@ -5601,6 +5622,10 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, return -EACCES; } + if (buf_len < (u64)sizeof(struct smb2_file_rename_info) + + le32_to_cpu(rename_info->FileNameLength)) + return -EINVAL; + user_ns = file_mnt_user_ns(fp->filp); if (ksmbd_stream_fd(fp)) goto next; @@ -5623,14 +5648,13 @@ static int set_rename_info(struct ksmbd_work *work, struct ksmbd_file *fp, } } next: - return smb2_rename(work, fp, user_ns, - (struct smb2_file_rename_info *)buf, + return smb2_rename(work, fp, user_ns, rename_info, work->sess->conn->local_nls); } -static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) +static int set_file_disposition_info(struct ksmbd_file *fp, + struct smb2_file_disposition_info *file_info) { - struct smb2_file_disposition_info *file_info; struct inode *inode; if (!(fp->daccess & FILE_DELETE_LE)) { @@ -5639,7 +5663,6 @@ static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) } inode = file_inode(fp->filp); - file_info = (struct smb2_file_disposition_info *)buf; if (file_info->DeletePending) { if (S_ISDIR(inode->i_mode) && ksmbd_vfs_empty_dir(fp) == -ENOTEMPTY) @@ -5651,15 +5674,14 @@ static int set_file_disposition_info(struct ksmbd_file *fp, char *buf) return 0; } -static int set_file_position_info(struct ksmbd_file *fp, char *buf) +static int set_file_position_info(struct ksmbd_file *fp, + struct smb2_file_pos_info *file_info) { - struct smb2_file_pos_info *file_info; loff_t current_byte_offset; unsigned long sector_size; struct inode *inode; inode = file_inode(fp->filp); - file_info = (struct smb2_file_pos_info *)buf; current_byte_offset = le64_to_cpu(file_info->CurrentByteOffset); sector_size = inode->i_sb->s_blocksize; @@ -5675,12 +5697,11 @@ static int set_file_position_info(struct ksmbd_file *fp, char *buf) return 0; } -static int set_file_mode_info(struct ksmbd_file *fp, char *buf) +static int set_file_mode_info(struct ksmbd_file *fp, + struct smb2_file_mode_info *file_info) { - struct smb2_file_mode_info *file_info; __le32 mode; - file_info = (struct smb2_file_mode_info *)buf; mode = file_info->Mode; if ((mode & ~FILE_MODE_INFO_MASK) || @@ -5710,40 +5731,74 @@ static int set_file_mode_info(struct ksmbd_file *fp, char *buf) * TODO: need to implement an error handling for STATUS_INFO_LENGTH_MISMATCH */ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, - int info_class, char *buf, + struct smb2_set_info_req *req, struct ksmbd_share_config *share) { - switch (info_class) { + unsigned int buf_len = le32_to_cpu(req->BufferLength); + + switch (req->FileInfoClass) { case FILE_BASIC_INFORMATION: - return set_file_basic_info(fp, buf, share); + { + if (buf_len < sizeof(struct smb2_file_basic_info)) + return -EINVAL; + return set_file_basic_info(fp, (struct smb2_file_basic_info *)req->Buffer, share); + } case FILE_ALLOCATION_INFORMATION: - return set_file_allocation_info(work, fp, buf); + { + if (buf_len < sizeof(struct smb2_file_alloc_info)) + return -EINVAL; + return set_file_allocation_info(work, fp, + (struct smb2_file_alloc_info *)req->Buffer); + } case FILE_END_OF_FILE_INFORMATION: - return set_end_of_file_info(work, fp, buf); + { + if (buf_len < sizeof(struct smb2_file_eof_info)) + return -EINVAL; + return set_end_of_file_info(work, fp, + (struct smb2_file_eof_info *)req->Buffer); + } case FILE_RENAME_INFORMATION: + { if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); return -EACCES; } - return set_rename_info(work, fp, buf); + if (buf_len < sizeof(struct smb2_file_rename_info)) + return -EINVAL; + + return set_rename_info(work, fp, + (struct smb2_file_rename_info *)req->Buffer, + buf_len); + } case FILE_LINK_INFORMATION: + { + if (buf_len < sizeof(struct smb2_file_link_info)) + return -EINVAL; + return smb2_create_link(work, work->tcon->share_conf, - (struct smb2_file_link_info *)buf, fp->filp, + (struct smb2_file_link_info *)req->Buffer, + buf_len, fp->filp, work->sess->conn->local_nls); - + } case FILE_DISPOSITION_INFORMATION: + { if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { ksmbd_debug(SMB, "User does not have write permission\n"); return -EACCES; } - return set_file_disposition_info(fp, buf); + if (buf_len < sizeof(struct smb2_file_disposition_info)) + return -EINVAL; + + return set_file_disposition_info(fp, + (struct smb2_file_disposition_info *)req->Buffer); + } case FILE_FULL_EA_INFORMATION: { if (!(fp->daccess & FILE_WRITE_EA_LE)) { @@ -5752,18 +5807,29 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp, return -EACCES; } - return smb2_set_ea((struct smb2_ea_info *)buf, - &fp->filp->f_path); - } + if (buf_len < sizeof(struct smb2_ea_info)) + return -EINVAL; + return smb2_set_ea((struct smb2_ea_info *)req->Buffer, + buf_len, &fp->filp->f_path); + } case FILE_POSITION_INFORMATION: - return set_file_position_info(fp, buf); + { + if (buf_len < sizeof(struct smb2_file_pos_info)) + return -EINVAL; + return set_file_position_info(fp, (struct smb2_file_pos_info *)req->Buffer); + } case FILE_MODE_INFORMATION: - return set_file_mode_info(fp, buf); + { + if (buf_len < sizeof(struct smb2_file_mode_info)) + return -EINVAL; + + return set_file_mode_info(fp, (struct smb2_file_mode_info *)req->Buffer); + } } - pr_err("Unimplemented Fileinfoclass :%d\n", info_class); + pr_err("Unimplemented Fileinfoclass :%d\n", req->FileInfoClass); return -EOPNOTSUPP; } @@ -5824,8 +5890,7 @@ int smb2_set_info(struct ksmbd_work *work) switch (req->InfoType) { case SMB2_O_INFO_FILE: ksmbd_debug(SMB, "GOT SMB2_O_INFO_FILE\n"); - rc = smb2_set_info_file(work, fp, req->FileInfoClass, - req->Buffer, work->tcon->share_conf); + rc = smb2_set_info_file(work, fp, req, work->tcon->share_conf); break; case SMB2_O_INFO_SECURITY: ksmbd_debug(SMB, "GOT SMB2_O_INFO_SECURITY\n"); From patchwork Fri Oct 1 12:04:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C3DBC433F5 for ; Fri, 1 Oct 2021 12:25:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5D3456136A for ; Fri, 1 Oct 2021 12:25:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353435AbhJAM1K (ORCPT ); Fri, 1 Oct 2021 08:27:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353397AbhJAM1K (ORCPT ); Fri, 1 Oct 2021 08:27:10 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CD71C061775 for ; Fri, 1 Oct 2021 05:25:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=CS++xHYXmyIeHCPSon04GbD9+ipfeR7qC+fuTRWOWg0=; b=jp4jKCesTu+ABYZUEvtPBdpm5M G/hXdCgpqacPk26RMMEMWBU9EP+++aFLLgJwzQ2Zc5mowu6FIUMyOGBa++G5SU9Mz48sljF7lPDzu eahIG4QAJRh/b/8tdjEeH5KxPe8/E2D0mmmNc+DpySbrgwOcGSw162iVFnKIIevEnZSbP6mtpftNH VCt1Pm4+EW8bFSkq1/fQkzUGsk/01YIPfQw9avusu/3C/pUro8/4oFlamQpy3DKfF9AacK6HXtE0M CpqRmY390aI9suws16n8QGtFOJ6wDawXQ6CUL//G2/j0MErYMyLCh47/9M4KpgAl16qj1rhcK3NWV Ant1bi9gkKtz1r79UniMKNSKOjsX8MVY+/78P9SwNW4XSfDxQ0uAcZ6YrzQTtPbH0n+8VGPMQmIMe TUZY7v3huaO7erRpydcQlSSX2pzz2SDB1rp95jdLWQsxO+RkwjaQmPbZpUCmplqmtqa5to5oZPyW6 WuoWOodRlC2dC6iS4JIn8/+f; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIN-0013Z3-EF; Fri, 01 Oct 2021 12:05:43 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v5 05/20] ksmbd: check strictly data area in ksmbd_smb2_check_message() Date: Fri, 1 Oct 2021 14:04:06 +0200 Message-Id: <20211001120421.327245-6-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon When invalid data offset and data length in request, ksmbd_smb2_check_message check strictly and doesn't allow to process such requests. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Reviewed-by: Ralph Boehme Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2misc.c | 98 ++++++++++++++++++++++----------------------- 1 file changed, 47 insertions(+), 51 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 9aa46bb3e10d..9edd9c161b27 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -80,18 +80,21 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { }; /* - * Returns the pointer to the beginning of the data area. Length of the data - * area and the offset to it (from the beginning of the smb are also returned. + * Set length of the data area and the offset to arguments. + * if they are invalid, return error. */ -static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) +static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, + struct smb2_hdr *hdr) { + int ret = 0; + *off = 0; *len = 0; /* error reqeusts do not have data area */ if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) - return NULL; + return ret; /* * Following commands have data areas so we have to get the location @@ -165,69 +168,60 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) case SMB2_IOCTL: *off = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset); *len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount); - break; default: ksmbd_debug(SMB, "no length check for command\n"); break; } - /* - * Invalid length or offset probably means data area is invalid, but - * we have little choice but to ignore the data area in this case. - */ if (*off > 4096) { - ksmbd_debug(SMB, "offset %d too large, data area ignored\n", - *off); - *len = 0; - *off = 0; - } else if (*off < 0) { - ksmbd_debug(SMB, - "negative offset %d to data invalid ignore data area\n", - *off); - *off = 0; - *len = 0; - } else if (*len < 0) { - ksmbd_debug(SMB, - "negative data length %d invalid, data area ignored\n", - *len); - *len = 0; - } else if (*len > 128 * 1024) { - ksmbd_debug(SMB, "data area larger than 128K: %d\n", *len); - *len = 0; + ksmbd_debug(SMB, "offset %d too large\n", *off); + ret = -EINVAL; + } else if ((u64)*off + *len > MAX_STREAM_PROT_LEN) { + ksmbd_debug(SMB, "Request is larger than maximum stream protocol length(%u): %llu\n", + MAX_STREAM_PROT_LEN, (u64)*off + *len); + ret = -EINVAL; } - /* return pointer to beginning of data area, ie offset from SMB start */ - if ((*off != 0) && (*len != 0)) - return (char *)hdr + *off; - else - return NULL; + return ret; } /* * Calculate the size of the SMB message based on the fixed header * portion, the number of word parameters and the data portion of the message. */ -static unsigned int smb2_calc_size(void *buf) +static int smb2_calc_size(void *buf, unsigned int *len) { struct smb2_pdu *pdu = (struct smb2_pdu *)buf; struct smb2_hdr *hdr = &pdu->hdr; - int offset; /* the offset from the beginning of SMB to data area */ - int data_length; /* the length of the variable length data area */ + unsigned int offset; /* the offset from the beginning of SMB to data area */ + unsigned int data_length; /* the length of the variable length data area */ + int ret; + /* Structure Size has already been checked to make sure it is 64 */ - int len = le16_to_cpu(hdr->StructureSize); + *len = le16_to_cpu(hdr->StructureSize); /* * StructureSize2, ie length of fixed parameter area has already * been checked to make sure it is the correct length. */ - len += le16_to_cpu(pdu->StructureSize2); + *len += le16_to_cpu(pdu->StructureSize2); + /* + * StructureSize2 of smb2_lock pdu is set to 48, indicating + * the size of smb2 lock request with single smb2_lock_element + * regardless of number of locks. Subtract single + * smb2_lock_element for correct buffer size check. + */ + if (hdr->Command == SMB2_LOCK) + *len -= sizeof(struct smb2_lock_element); if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false) goto calc_size_exit; - smb2_get_data_area_len(&offset, &data_length, hdr); - ksmbd_debug(SMB, "SMB2 data length %d offset %d\n", data_length, + ret = smb2_get_data_area_len(&offset, &data_length, hdr); + if (ret) + return ret; + ksmbd_debug(SMB, "SMB2 data length %u offset %u\n", data_length, offset); if (data_length > 0) { @@ -237,16 +231,19 @@ static unsigned int smb2_calc_size(void *buf) * for some commands, typically those with odd StructureSize, * so we must add one to the calculation. */ - if (offset + 1 < len) + if (offset + 1 < *len) { ksmbd_debug(SMB, - "data area offset %d overlaps SMB2 header %d\n", - offset + 1, len); - else - len = offset + data_length; + "data area offset %d overlaps SMB2 header %u\n", + offset + 1, *len); + return -EINVAL; + } + + *len = offset + data_length; } + calc_size_exit: - ksmbd_debug(SMB, "SMB2 len %d\n", len); - return len; + ksmbd_debug(SMB, "SMB2 len %u\n", *len); + return 0; } static inline int smb2_query_info_req_len(struct smb2_query_info_req *h) @@ -391,9 +388,11 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } - clc_len = smb2_calc_size(hdr); + if (smb2_calc_size(hdr, &clc_len)) + return 1; + if (len != clc_len) { - /* server can return one byte more due to implied bcc[0] */ + /* client can return one byte more due to implied bcc[0] */ if (clc_len == len + 1) return 0; @@ -418,9 +417,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 0; } - if (command == SMB2_LOCK_HE && len == 88) - return 0; - ksmbd_debug(SMB, "cli req too short, len %d not %d. cmd:%d mid:%llu\n", len, clc_len, command, From patchwork Fri Oct 1 12:04:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530513 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2502C433F5 for ; Fri, 1 Oct 2021 12:25:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 883D161A55 for ; Fri, 1 Oct 2021 12:25:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354185AbhJAM1F (ORCPT ); Fri, 1 Oct 2021 08:27:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353397AbhJAM1E (ORCPT ); Fri, 1 Oct 2021 08:27:04 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CE95C061775 for ; Fri, 1 Oct 2021 05:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=GJ6/GkDvZZxumGF9X6kh0wVdtvWV67L6QDPsqqQ8/3s=; b=pByUBAVkV0xjoDTGozXgAFdbEy RLfev4+Ys972YUWif7UjJrae9FmVBsqTjTk45WOHkaSqByvGLbshPovl/2AwxIocJocPg1Unm4XKL eDJZ+G67WWBLmbz4LoBFcX4Lu2ndLBol7JnId5v6AojHYf8+TSFq2ARfuahxET9a+8Wx8bMdPRKWC g9j5pS6d+yCP27XJwllTIJ9HT66grjYHA2nHBNoIGyLql4saqAS6OhCwOzObTu5wCaN7Ubcg50S4M HGXwnqm4UJ5r4HXVt9W91NPEt4cjwzQBG9gAy8hm8S7g3v3xwtP565NHwCep/78KAOBjUa0tgGI6n bDluCsVU39oeevF7C0cq7Ydu8tH8EQAltOCgjpKy7wHqcyeptv5t6ujGTnKzYnv0kYu7muSNMrHDV dkbbs96ZiaZd+oKGGoi/R0TkMNxkrUf/FFacBBUWfBvNZ6XK17xKtAq8oIXhnx3s0xWSRQhlfU67k ebaPgKm8snuAs7N4DUL16047; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIO-0013Z3-55; Fri, 01 Oct 2021 12:05:44 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Hyunchul Lee , Sergey Senozhatsky Subject: [PATCH v5 06/20] ksmbd: add validation in smb2 negotiate Date: Fri, 1 Oct 2021 14:04:07 +0200 Message-Id: <20211001120421.327245-7-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon This patch add validation to check request buffer check in smb2 negotiate and fix null pointer deferencing oops in smb3_preauth_hash_rsp() that found from manual test. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Hyunchul Lee Cc: Sergey Senozhatsky Reviewed-by: Ralph Boehme Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2pdu.c | 42 +++++++++++++++++++++++++++++++++++++++++- fs/ksmbd/smb_common.c | 32 +++++++++++++++++++++++++++----- 2 files changed, 68 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index c434390ffcae..0b0ab3297e05 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -1067,6 +1067,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work) struct smb2_negotiate_req *req = work->request_buf; struct smb2_negotiate_rsp *rsp = work->response_buf; int rc = 0; + unsigned int smb2_buf_len, smb2_neg_size; __le32 status; ksmbd_debug(SMB, "Received negotiate request\n"); @@ -1084,6 +1085,44 @@ int smb2_handle_negotiate(struct ksmbd_work *work) goto err_out; } + smb2_buf_len = get_rfc1002_len(work->request_buf); + smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects) - 4; + if (smb2_neg_size > smb2_buf_len) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + if (conn->dialect == SMB311_PROT_ID) { + unsigned int nego_ctxt_off = le32_to_cpu(req->NegotiateContextOffset); + + if (smb2_buf_len < nego_ctxt_off) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + if (smb2_neg_size > nego_ctxt_off) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + + if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) > + nego_ctxt_off) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + } else { + if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) > + smb2_buf_len) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + } + conn->cli_cap = le32_to_cpu(req->Capabilities); switch (conn->dialect) { case SMB311_PROT_ID: @@ -8301,7 +8340,8 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work) WORK_BUFFERS(work, req, rsp); - if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE) + if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE && + conn->preauth_info) ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp, conn->preauth_info->Preauth_HashValue); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 20bd5b8e3c0a..b6c4c7e960fa 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -168,10 +168,12 @@ static bool supported_protocol(int idx) idx <= server_conf.max_protocol); } -static char *next_dialect(char *dialect, int *next_off) +static char *next_dialect(char *dialect, int *next_off, int bcount) { dialect = dialect + *next_off; - *next_off = strlen(dialect); + *next_off = strnlen(dialect, bcount); + if (dialect[*next_off] != '\0') + return NULL; return dialect; } @@ -186,7 +188,9 @@ static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count) dialect = cli_dialects; bcount = le16_to_cpu(byte_count); do { - dialect = next_dialect(dialect, &next); + dialect = next_dialect(dialect, &next, bcount); + if (!dialect) + break; ksmbd_debug(SMB, "client requested dialect %s\n", dialect); if (!strcmp(dialect, smb1_protos[i].name)) { @@ -234,13 +238,22 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count) static int ksmbd_negotiate_smb_dialect(void *buf) { - __le32 proto; + int smb_buf_length = get_rfc1002_len(buf); + __le32 proto = ((struct smb2_hdr *)buf)->ProtocolId; - proto = ((struct smb2_hdr *)buf)->ProtocolId; if (proto == SMB2_PROTO_NUMBER) { struct smb2_negotiate_req *req; + int smb2_neg_size = + offsetof(struct smb2_negotiate_req, Dialects) - 4; req = (struct smb2_negotiate_req *)buf; + if (smb2_neg_size > smb_buf_length) + goto err_out; + + if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) > + smb_buf_length) + goto err_out; + return ksmbd_lookup_dialect_by_id(req->Dialects, req->DialectCount); } @@ -250,10 +263,19 @@ static int ksmbd_negotiate_smb_dialect(void *buf) struct smb_negotiate_req *req; req = (struct smb_negotiate_req *)buf; + if (le16_to_cpu(req->ByteCount) < 2) + goto err_out; + + if (offsetof(struct smb_negotiate_req, DialectsArray) - 4 + + le16_to_cpu(req->ByteCount) > smb_buf_length) { + goto err_out; + } + return ksmbd_lookup_dialect_by_name(req->DialectsArray, req->ByteCount); } +err_out: return BAD_PROT_ID; } From patchwork Fri Oct 1 12:04:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3A23C433F5 for ; Fri, 1 Oct 2021 12:25:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DCC2961A55 for ; Fri, 1 Oct 2021 12:25:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353397AbhJAM1T (ORCPT ); Fri, 1 Oct 2021 08:27:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354362AbhJAM1P (ORCPT ); Fri, 1 Oct 2021 08:27:15 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2296FC061775 for ; Fri, 1 Oct 2021 05:25:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=4sgNGeiX6lIjDAIyfrNU1nThIZ+c07EIJLYzoomm29s=; b=UnmrWgP3st7iFiMcPNp5K7Z6Q5 Dp1kJnfb3WGBSyQYr0KVfPs1tM+fLvp1IhWUQGom58g7V92P0h3ddQukY8Z331zptj40DDnSD/IJ0 v5lRcFWhI9zby3bjdrmB8OQFbWFQkVfBpWbx2l7rfClJmmjg4qyIcdFimyVITVpPTsbchspPSuT27 c+BqUSZ1SoNysgckReWvDNO0Dm4bP3R+XeGclJbDrtWHNLFmFrkwN33nEGPgr4FQX4tnFgXNr7RBT /G8C39+pKrp6QNQMb+H+dinrlOd82dgjAZaP83RnWAJ1UWCLefTtkrjuGdJy9rr1q2k9TMG0e2I8y Zj8LQLfrNFfOZv/ppYY64Z10V3pyRZJ5ZUXBYQYHcoHo0yZKMVUeLmr2V9vVcGDJpo9zae4Ya51dn R5FmNNdCmHilWegztngR4F1s/K3gw0rWChrpCE1V62Fzvo2LYQqEs/8HccxLEMq1mUqujnVhKloDC FC7JtWuXrZJO1YOS6ZpNySQl; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIO-0013Z3-MX; Fri, 01 Oct 2021 12:05:44 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Hyunchul Lee , Ronnie Sahlberg , Steve French , Ralph Boehme , Namjae Jeon Subject: [PATCH v5 07/20] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Date: Fri, 1 Oct 2021 14:04:08 +0200 Message-Id: <20211001120421.327245-8-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Hyunchul Lee Add buffer validation for SMB2_CREATE_CONTEXT. Cc: Ronnie Sahlberg Cc: Steve French Reviewed-by: Ralph Boehme Signed-off-by: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/oplock.c | 41 +++++++++++++++++++++++++++++++---------- fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++- fs/ksmbd/smbacl.c | 21 +++++++++++++++++++-- 3 files changed, 74 insertions(+), 13 deletions(-) diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c index 16b6236d1bd2..f9dae6ef2115 100644 --- a/fs/ksmbd/oplock.c +++ b/fs/ksmbd/oplock.c @@ -1451,26 +1451,47 @@ struct lease_ctx_info *parse_lease_state(void *open_req) */ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) { - char *data_offset; struct create_context *cc; unsigned int next = 0; char *name; struct smb2_create_req *req = (struct smb2_create_req *)open_req; + unsigned int remain_len, name_off, name_len, value_off, value_len, + cc_len; - data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset); - cc = (struct create_context *)data_offset; + /* + * CreateContextsOffset and CreateContextsLength are guaranteed to + * be valid because of ksmbd_smb2_check_message(). + */ + cc = (struct create_context *)((char *)req + 4 + + le32_to_cpu(req->CreateContextsOffset)); + remain_len = le32_to_cpu(req->CreateContextsLength); do { - int val; - cc = (struct create_context *)((char *)cc + next); - name = le16_to_cpu(cc->NameOffset) + (char *)cc; - val = le16_to_cpu(cc->NameLength); - if (val < 4) + if (remain_len < offsetof(struct create_context, Buffer)) return ERR_PTR(-EINVAL); - if (memcmp(name, tag, val) == 0) - return cc; next = le32_to_cpu(cc->Next); + name_off = le16_to_cpu(cc->NameOffset); + name_len = le16_to_cpu(cc->NameLength); + value_off = le16_to_cpu(cc->DataOffset); + value_len = le32_to_cpu(cc->DataLength); + cc_len = next ? next : remain_len; + + if ((next & 0x7) != 0 || + next > remain_len || + name_off != offsetof(struct create_context, Buffer) || + name_len < 4 || + name_off + name_len > cc_len || + (value_off & 0x7) != 0 || + (value_off && (value_off < name_off + name_len)) || + ((u64)value_off + value_len > cc_len)) + return ERR_PTR(-EINVAL); + + name = (char *)cc + name_off; + if (memcmp(name, tag, name_len) == 0) + return cc; + + remain_len -= next; } while (next != 0); return NULL; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 0b0ab3297e05..e40bcc86f3b3 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2427,6 +2427,10 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, ksmbd_debug(SMB, "Set ACLs using SMB2_CREATE_SD_BUFFER context\n"); sd_buf = (struct create_sd_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_sd_buf_req)) + return -EINVAL; return set_info_sec(work->conn, work->tcon, path, &sd_buf->ntsd, le32_to_cpu(sd_buf->ccontext.DataLength), true); } @@ -2621,6 +2625,12 @@ int smb2_open(struct ksmbd_work *work) goto err_out1; } else if (context) { ea_buf = (struct create_ea_buf_req *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_ea_buf_req)) { + rc = -EINVAL; + goto err_out1; + } if (req->CreateOptions & FILE_NO_EA_KNOWLEDGE_LE) { rsp->hdr.Status = STATUS_ACCESS_DENIED; rc = -EACCES; @@ -2659,6 +2669,12 @@ int smb2_open(struct ksmbd_work *work) } else if (context) { struct create_posix *posix = (struct create_posix *)context; + if (le16_to_cpu(context->DataOffset) + + le32_to_cpu(context->DataLength) < + sizeof(struct create_posix)) { + rc = -EINVAL; + goto err_out1; + } ksmbd_debug(SMB, "get posix context\n"); posix_mode = le32_to_cpu(posix->Mode); @@ -3049,9 +3065,16 @@ int smb2_open(struct ksmbd_work *work) rc = PTR_ERR(az_req); goto err_out; } else if (az_req) { - loff_t alloc_size = le64_to_cpu(az_req->AllocationSize); + loff_t alloc_size; int err; + if (le16_to_cpu(az_req->ccontext.DataOffset) + + le32_to_cpu(az_req->ccontext.DataLength) < + sizeof(struct create_alloc_size_req)) { + rc = -EINVAL; + goto err_out; + } + alloc_size = le64_to_cpu(az_req->AllocationSize); ksmbd_debug(SMB, "request smb2 create allocate size : %llu\n", alloc_size); diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c index 0a95cdec8c80..bd792db32623 100644 --- a/fs/ksmbd/smbacl.c +++ b/fs/ksmbd/smbacl.c @@ -380,7 +380,7 @@ static void parse_dacl(struct user_namespace *user_ns, { int i, ret; int num_aces = 0; - int acl_size; + unsigned int acl_size; char *acl_base; struct smb_ace **ppace; struct posix_acl_entry *cf_pace, *cf_pdace; @@ -392,7 +392,7 @@ static void parse_dacl(struct user_namespace *user_ns, return; /* validate that we do not go past end of acl */ - if (end_of_acl <= (char *)pdacl || + if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { pr_err("ACL too small to parse DACL\n"); return; @@ -431,8 +431,22 @@ static void parse_dacl(struct user_namespace *user_ns, * user/group/other have no permissions */ for (i = 0; i < num_aces; ++i) { + if (end_of_acl - acl_base < acl_size) + break; + ppace[i] = (struct smb_ace *)(acl_base + acl_size); acl_base = (char *)ppace[i]; + acl_size = offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth); + + if (end_of_acl - acl_base < acl_size || + ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || + (end_of_acl - acl_base < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || + (le16_to_cpu(ppace[i]->size) < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth)) + break; + acl_size = le16_to_cpu(ppace[i]->size); ppace[i]->access_req = smb_map_generic_desired_access(ppace[i]->access_req); @@ -807,6 +821,9 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, if (!pntsd) return -EIO; + if (acl_len < sizeof(struct smb_ntsd)) + return -EINVAL; + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + le32_to_cpu(pntsd->osidoffset)); group_sid_ptr = (struct smb_sid *)((char *)pntsd + From patchwork Fri Oct 1 12:04:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530419 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 826AEC433FE for ; Fri, 1 Oct 2021 12:05:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6C90861A85 for ; Fri, 1 Oct 2021 12:05:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354282AbhJAMHb (ORCPT ); Fri, 1 Oct 2021 08:07:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354129AbhJAMHb (ORCPT ); Fri, 1 Oct 2021 08:07:31 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 486F1C061775 for ; Fri, 1 Oct 2021 05:05:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=9p916dGRHvcVFrWbf/6Uja9PW/SMPiUk2YKBh1Jq/LU=; b=SPs5BPSyDngYjYJZy3J13BTxit ZXY+Ao0AlDhA40WBRo7nLSZ/mpjExDz7xZ87Cdmy2DFjkt06XeLYoi+mOj9ljRilS2IDDIhBRgnfW L3vU9N8XsRW3ddgR3E16HErfaNdMnxQlPhr/PO9eAaN7oco7IxHGAyV4wFLhOUT7RPMJtUd0MeEOm I+qi8RWkqb1gSAZYh32DGF9NHnPl61xvwvzJQUhDx8HPdXVnVWsRep9tnjCN0n/z+xubX4O6jbsMK MoKDVS+wqMl84EsKOOqujqHJF/xd9MXkz5sUvp60sjH9RZuW7KFsx0f4IjfI/hr1PGY7FhtKi6Wm9 2evXJltQekFtx034k9xpdQSeTUq6M7S+iKpkP4OGjrh6C8k7KCyYIVnr5IE7DKdAKDc23nNPLdPbt 6NiuWteuQMAocVha8A49ZQPuDxMKfblacg8+nTemzW41x53nrQg/fkZbkO4tFUpY5qiptaeBcmoja w9koMWWgky2N8yjbjxo4Hq4X; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIP-0013Z3-99; Fri, 01 Oct 2021 12:05:45 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v5 08/20] ksmbd: remove the leftover of smb2.0 dialect support Date: Fri, 1 Oct 2021 14:04:09 +0200 Message-Id: <20211001120421.327245-9-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Although ksmbd doesn't send SMB2.0 support in supported dialect list of smb negotiate response, There is the leftover of smb2.0 dialect. This patch remove it not to support SMB2.0 in ksmbd. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Cc: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2ops.c | 5 ----- fs/ksmbd/smb2pdu.c | 34 +++++++++------------------------- fs/ksmbd/smb2pdu.h | 1 - fs/ksmbd/smb_common.c | 6 +++--- 4 files changed, 12 insertions(+), 34 deletions(-) diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index 197473871aa4..b06456eb587b 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -187,11 +187,6 @@ static struct smb_version_cmds smb2_0_server_cmds[NUMBER_OF_SMB2_COMMANDS] = { [SMB2_CHANGE_NOTIFY_HE] = { .proc = smb2_notify}, }; -int init_smb2_0_server(struct ksmbd_conn *conn) -{ - return -EOPNOTSUPP; -} - /** * init_smb2_1_server() - initialize a smb server connection with smb2.1 * command dispatcher diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index e40bcc86f3b3..ec05d9dc6436 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -236,9 +236,6 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) if (conn->need_neg == false) return -EINVAL; - if (!(conn->dialect >= SMB20_PROT_ID && - conn->dialect <= SMB311_PROT_ID)) - return -EINVAL; rsp_hdr = work->response_buf; @@ -1166,13 +1163,6 @@ int smb2_handle_negotiate(struct ksmbd_work *work) case SMB21_PROT_ID: init_smb2_1_server(conn); break; - case SMB20_PROT_ID: - rc = init_smb2_0_server(conn); - if (rc) { - rsp->hdr.Status = STATUS_NOT_SUPPORTED; - goto err_out; - } - break; case SMB2X_PROT_ID: case BAD_PROT_ID: default: @@ -1191,11 +1181,9 @@ int smb2_handle_negotiate(struct ksmbd_work *work) rsp->MaxReadSize = cpu_to_le32(conn->vals->max_read_size); rsp->MaxWriteSize = cpu_to_le32(conn->vals->max_write_size); - if (conn->dialect > SMB20_PROT_ID) { - memcpy(conn->ClientGUID, req->ClientGUID, - SMB2_CLIENT_GUID_SIZE); - conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); - } + memcpy(conn->ClientGUID, req->ClientGUID, + SMB2_CLIENT_GUID_SIZE); + conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); rsp->StructureSize = cpu_to_le16(65); rsp->DialectRevision = cpu_to_le16(conn->dialect); @@ -1537,11 +1525,9 @@ static int ntlm_authenticate(struct ksmbd_work *work) } } - if (conn->dialect > SMB20_PROT_ID) { - if (!ksmbd_conn_lookup_dialect(conn)) { - pr_err("fail to verify the dialect\n"); - return -ENOENT; - } + if (!ksmbd_conn_lookup_dialect(conn)) { + pr_err("fail to verify the dialect\n"); + return -ENOENT; } return 0; } @@ -1623,11 +1609,9 @@ static int krb5_authenticate(struct ksmbd_work *work) } } - if (conn->dialect > SMB20_PROT_ID) { - if (!ksmbd_conn_lookup_dialect(conn)) { - pr_err("fail to verify the dialect\n"); - return -ENOENT; - } + if (!ksmbd_conn_lookup_dialect(conn)) { + pr_err("fail to verify the dialect\n"); + return -ENOENT; } return 0; } diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 261825d06391..a6dec5ec6a54 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1637,7 +1637,6 @@ struct smb2_posix_info { } __packed; /* functions */ -int init_smb2_0_server(struct ksmbd_conn *conn); void init_smb2_1_server(struct ksmbd_conn *conn); void init_smb3_0_server(struct ksmbd_conn *conn); void init_smb3_02_server(struct ksmbd_conn *conn); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index b6c4c7e960fa..707490ab1f4c 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -88,7 +88,7 @@ unsigned int ksmbd_server_side_copy_max_total_size(void) inline int ksmbd_min_protocol(void) { - return SMB2_PROT; + return SMB21_PROT; } inline int ksmbd_max_protocol(void) @@ -427,7 +427,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, static int __smb2_negotiate(struct ksmbd_conn *conn) { - return (conn->dialect >= SMB20_PROT_ID && + return (conn->dialect >= SMB21_PROT_ID && conn->dialect <= SMB311_PROT_ID); } @@ -457,7 +457,7 @@ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) } } - if (command == SMB2_NEGOTIATE_HE) { + if (command == SMB2_NEGOTIATE_HE && __smb2_negotiate(conn)) { ret = smb2_handle_negotiate(work); init_smb2_neg_rsp(work); return ret; From patchwork Fri Oct 1 12:04:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED296C433EF for ; Fri, 1 Oct 2021 12:25:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D54666136A for ; Fri, 1 Oct 2021 12:25:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354307AbhJAM1e (ORCPT ); Fri, 1 Oct 2021 08:27:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53374 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230092AbhJAM1d (ORCPT ); Fri, 1 Oct 2021 08:27:33 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A0FEC061775 for ; Fri, 1 Oct 2021 05:25:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=tIMPJNkMwmzHEy12uw+TrFIwS+U0LsqW96ddHytUD7w=; b=a/GlzQlDcIj5aX3FfOV5OtGoXd y6gWlZjpCNS5EWtUpGZlOX3+gRW5vpahq7Sjd5nBjPv6aHyp+ZCVVYegtxodolbci7zI/iZLpB3FV 6CUdgOvIcLrTJM/e9YJz8yy8XQ6XNyuBYSLVqvZ0wu4QH/8EhR/QE6HGPAYnvlz22nbktoHpbOeE4 wPe/GzkfnmPa6jzKKAHC7fFRVYorRG70AAvNZW9WRsA3snT/ckUupAidIkTS9nBNcDjK8Y6fk9633 WH+uBKpX1ni3hLIe61udnnotKhz9w302VOURvi875/bj6e6LiKDFwvky1Qo4L42B/W3st6zuGZIQW of79JWTAgN+CJ7IjHWlaBThbJrCsvlkPvebHUyOlWykW0AlCTYDziQGBigsziJKczrQc7F/wWtlUI lXNbLxIYb1LFhC5hGxWa/7txS7z1F3PpSt3d193mh7yLcgmrzxW/bPCjOlaOz3V9htnKIsn/oPZYn pu3BTKPc0SiLrvW5JvwERcO1; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIQ-0013Z3-0U; Fri, 01 Oct 2021 12:05:46 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v5 09/20] ksmbd: remove NTLMv1 authentication Date: Fri, 1 Oct 2021 14:04:10 +0200 Message-Id: <20211001120421.327245-10-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Remove insecure NTLMv1 authentication. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Cc: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/auth.c | 205 ------------------------------------------ fs/ksmbd/crypto_ctx.c | 16 ---- fs/ksmbd/crypto_ctx.h | 8 -- 3 files changed, 229 deletions(-) diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c index de36f12070bf..71c989f1568d 100644 --- a/fs/ksmbd/auth.c +++ b/fs/ksmbd/auth.c @@ -68,125 +68,6 @@ void ksmbd_copy_gss_neg_header(void *buf) memcpy(buf, NEGOTIATE_GSS_HEADER, AUTH_GSS_LENGTH); } -static void -str_to_key(unsigned char *str, unsigned char *key) -{ - int i; - - key[0] = str[0] >> 1; - key[1] = ((str[0] & 0x01) << 6) | (str[1] >> 2); - key[2] = ((str[1] & 0x03) << 5) | (str[2] >> 3); - key[3] = ((str[2] & 0x07) << 4) | (str[3] >> 4); - key[4] = ((str[3] & 0x0F) << 3) | (str[4] >> 5); - key[5] = ((str[4] & 0x1F) << 2) | (str[5] >> 6); - key[6] = ((str[5] & 0x3F) << 1) | (str[6] >> 7); - key[7] = str[6] & 0x7F; - for (i = 0; i < 8; i++) - key[i] = (key[i] << 1); -} - -static int -smbhash(unsigned char *out, const unsigned char *in, unsigned char *key) -{ - unsigned char key2[8]; - struct des_ctx ctx; - - if (fips_enabled) { - ksmbd_debug(AUTH, "FIPS compliance enabled: DES not permitted\n"); - return -ENOENT; - } - - str_to_key(key, key2); - des_expand_key(&ctx, key2, DES_KEY_SIZE); - des_encrypt(&ctx, out, in); - memzero_explicit(&ctx, sizeof(ctx)); - return 0; -} - -static int ksmbd_enc_p24(unsigned char *p21, const unsigned char *c8, unsigned char *p24) -{ - int rc; - - rc = smbhash(p24, c8, p21); - if (rc) - return rc; - rc = smbhash(p24 + 8, c8, p21 + 7); - if (rc) - return rc; - return smbhash(p24 + 16, c8, p21 + 14); -} - -/* produce a md4 message digest from data of length n bytes */ -static int ksmbd_enc_md4(unsigned char *md4_hash, unsigned char *link_str, - int link_len) -{ - int rc; - struct ksmbd_crypto_ctx *ctx; - - ctx = ksmbd_crypto_ctx_find_md4(); - if (!ctx) { - ksmbd_debug(AUTH, "Crypto md4 allocation error\n"); - return -ENOMEM; - } - - rc = crypto_shash_init(CRYPTO_MD4(ctx)); - if (rc) { - ksmbd_debug(AUTH, "Could not init md4 shash\n"); - goto out; - } - - rc = crypto_shash_update(CRYPTO_MD4(ctx), link_str, link_len); - if (rc) { - ksmbd_debug(AUTH, "Could not update with link_str\n"); - goto out; - } - - rc = crypto_shash_final(CRYPTO_MD4(ctx), md4_hash); - if (rc) - ksmbd_debug(AUTH, "Could not generate md4 hash\n"); -out: - ksmbd_release_crypto_ctx(ctx); - return rc; -} - -static int ksmbd_enc_update_sess_key(unsigned char *md5_hash, char *nonce, - char *server_challenge, int len) -{ - int rc; - struct ksmbd_crypto_ctx *ctx; - - ctx = ksmbd_crypto_ctx_find_md5(); - if (!ctx) { - ksmbd_debug(AUTH, "Crypto md5 allocation error\n"); - return -ENOMEM; - } - - rc = crypto_shash_init(CRYPTO_MD5(ctx)); - if (rc) { - ksmbd_debug(AUTH, "Could not init md5 shash\n"); - goto out; - } - - rc = crypto_shash_update(CRYPTO_MD5(ctx), server_challenge, len); - if (rc) { - ksmbd_debug(AUTH, "Could not update with challenge\n"); - goto out; - } - - rc = crypto_shash_update(CRYPTO_MD5(ctx), nonce, len); - if (rc) { - ksmbd_debug(AUTH, "Could not update with nonce\n"); - goto out; - } - - rc = crypto_shash_final(CRYPTO_MD5(ctx), md5_hash); - if (rc) - ksmbd_debug(AUTH, "Could not generate md5 hash\n"); -out: - ksmbd_release_crypto_ctx(ctx); - return rc; -} - /** * ksmbd_gen_sess_key() - function to generate session key * @sess: session of connection @@ -324,43 +205,6 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, return ret; } -/** - * ksmbd_auth_ntlm() - NTLM authentication handler - * @sess: session of connection - * @pw_buf: NTLM challenge response - * @passkey: user password - * - * Return: 0 on success, error number on error - */ -int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf) -{ - int rc; - unsigned char p21[21]; - char key[CIFS_AUTH_RESP_SIZE]; - - memset(p21, '\0', 21); - memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); - rc = ksmbd_enc_p24(p21, sess->ntlmssp.cryptkey, key); - if (rc) { - pr_err("password processing failed\n"); - return rc; - } - - ksmbd_enc_md4(sess->sess_key, user_passkey(sess->user), - CIFS_SMB1_SESSKEY_SIZE); - memcpy(sess->sess_key + CIFS_SMB1_SESSKEY_SIZE, key, - CIFS_AUTH_RESP_SIZE); - sess->sequence_number = 1; - - if (strncmp(pw_buf, key, CIFS_AUTH_RESP_SIZE) != 0) { - ksmbd_debug(AUTH, "ntlmv1 authentication failed\n"); - return -EINVAL; - } - - ksmbd_debug(AUTH, "ntlmv1 authentication pass\n"); - return 0; -} - /** * ksmbd_auth_ntlmv2() - NTLMv2 authentication handler * @sess: session of connection @@ -441,44 +285,6 @@ int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2, return rc; } -/** - * __ksmbd_auth_ntlmv2() - NTLM2(extended security) authentication handler - * @sess: session of connection - * @client_nonce: client nonce from LM response. - * @ntlm_resp: ntlm response data from client. - * - * Return: 0 on success, error number on error - */ -static int __ksmbd_auth_ntlmv2(struct ksmbd_session *sess, char *client_nonce, - char *ntlm_resp) -{ - char sess_key[CIFS_SMB1_SESSKEY_SIZE] = {0}; - int rc; - unsigned char p21[21]; - char key[CIFS_AUTH_RESP_SIZE]; - - rc = ksmbd_enc_update_sess_key(sess_key, - client_nonce, - (char *)sess->ntlmssp.cryptkey, 8); - if (rc) { - pr_err("password processing failed\n"); - goto out; - } - - memset(p21, '\0', 21); - memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE); - rc = ksmbd_enc_p24(p21, sess_key, key); - if (rc) { - pr_err("password processing failed\n"); - goto out; - } - - if (memcmp(ntlm_resp, key, CIFS_AUTH_RESP_SIZE) != 0) - rc = -EINVAL; -out: - return rc; -} - /** * ksmbd_decode_ntlmssp_auth_blob() - helper function to construct * authenticate blob @@ -512,17 +318,6 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, nt_off = le32_to_cpu(authblob->NtChallengeResponse.BufferOffset); nt_len = le16_to_cpu(authblob->NtChallengeResponse.Length); - /* process NTLM authentication */ - if (nt_len == CIFS_AUTH_RESP_SIZE) { - if (le32_to_cpu(authblob->NegotiateFlags) & - NTLMSSP_NEGOTIATE_EXTENDED_SEC) - return __ksmbd_auth_ntlmv2(sess, (char *)authblob + - lm_off, (char *)authblob + nt_off); - else - return ksmbd_auth_ntlm(sess, (char *)authblob + - nt_off); - } - /* TODO : use domain name that imported from configuration file */ domain_name = smb_strndup_from_utf16((const char *)authblob + le32_to_cpu(authblob->DomainName.BufferOffset), diff --git a/fs/ksmbd/crypto_ctx.c b/fs/ksmbd/crypto_ctx.c index 5f4b1008d17e..81488d04199d 100644 --- a/fs/ksmbd/crypto_ctx.c +++ b/fs/ksmbd/crypto_ctx.c @@ -81,12 +81,6 @@ static struct shash_desc *alloc_shash_desc(int id) case CRYPTO_SHASH_SHA512: tfm = crypto_alloc_shash("sha512", 0, 0); break; - case CRYPTO_SHASH_MD4: - tfm = crypto_alloc_shash("md4", 0, 0); - break; - case CRYPTO_SHASH_MD5: - tfm = crypto_alloc_shash("md5", 0, 0); - break; default: return NULL; } @@ -214,16 +208,6 @@ struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void) return ____crypto_shash_ctx_find(CRYPTO_SHASH_SHA512); } -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void) -{ - return ____crypto_shash_ctx_find(CRYPTO_SHASH_MD4); -} - -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void) -{ - return ____crypto_shash_ctx_find(CRYPTO_SHASH_MD5); -} - static struct ksmbd_crypto_ctx *____crypto_aead_ctx_find(int id) { struct ksmbd_crypto_ctx *ctx; diff --git a/fs/ksmbd/crypto_ctx.h b/fs/ksmbd/crypto_ctx.h index ef11154b43df..4a367c62f653 100644 --- a/fs/ksmbd/crypto_ctx.h +++ b/fs/ksmbd/crypto_ctx.h @@ -15,8 +15,6 @@ enum { CRYPTO_SHASH_CMACAES, CRYPTO_SHASH_SHA256, CRYPTO_SHASH_SHA512, - CRYPTO_SHASH_MD4, - CRYPTO_SHASH_MD5, CRYPTO_SHASH_MAX, }; @@ -43,8 +41,6 @@ struct ksmbd_crypto_ctx { #define CRYPTO_CMACAES(c) ((c)->desc[CRYPTO_SHASH_CMACAES]) #define CRYPTO_SHA256(c) ((c)->desc[CRYPTO_SHASH_SHA256]) #define CRYPTO_SHA512(c) ((c)->desc[CRYPTO_SHASH_SHA512]) -#define CRYPTO_MD4(c) ((c)->desc[CRYPTO_SHASH_MD4]) -#define CRYPTO_MD5(c) ((c)->desc[CRYPTO_SHASH_MD5]) #define CRYPTO_HMACMD5_TFM(c) ((c)->desc[CRYPTO_SHASH_HMACMD5]->tfm) #define CRYPTO_HMACSHA256_TFM(c)\ @@ -52,8 +48,6 @@ struct ksmbd_crypto_ctx { #define CRYPTO_CMACAES_TFM(c) ((c)->desc[CRYPTO_SHASH_CMACAES]->tfm) #define CRYPTO_SHA256_TFM(c) ((c)->desc[CRYPTO_SHASH_SHA256]->tfm) #define CRYPTO_SHA512_TFM(c) ((c)->desc[CRYPTO_SHASH_SHA512]->tfm) -#define CRYPTO_MD4_TFM(c) ((c)->desc[CRYPTO_SHASH_MD4]->tfm) -#define CRYPTO_MD5_TFM(c) ((c)->desc[CRYPTO_SHASH_MD5]->tfm) #define CRYPTO_GCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_GCM]) #define CRYPTO_CCM(c) ((c)->ccmaes[CRYPTO_AEAD_AES_CCM]) @@ -64,8 +58,6 @@ struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_hmacsha256(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_cmacaes(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha512(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_sha256(void); -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md4(void); -struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_md5(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_gcm(void); struct ksmbd_crypto_ctx *ksmbd_crypto_ctx_find_ccm(void); void ksmbd_crypto_destroy(void); From patchwork Fri Oct 1 12:04:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530527 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63D2FC433EF for ; Fri, 1 Oct 2021 12:25:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4B17861A85 for ; Fri, 1 Oct 2021 12:25:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353431AbhJAM13 (ORCPT ); Fri, 1 Oct 2021 08:27:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230092AbhJAM12 (ORCPT ); Fri, 1 Oct 2021 08:27:28 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9195DC061775 for ; Fri, 1 Oct 2021 05:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=WpkZ1NfFD6FTS92J7O5drCFrrBVUGBRTq1+XIBakZpQ=; b=XBcFwqxjdrO+fxyMcK+im9mTr2 xQDGo78HbkOl7kfJOaiZhBV3MrlIVFsG1UCT+YaBixVFqs6CwLmC7YaDseX9m+ieIAiLDa2BPyOKI 6szuWF96q/u5SxCIRIzYVzgPtUIO1EAhLLFyLx7tKKEckO2NsECoM3mS88WdD2w0SwUB2lA+AUxpP p0OlHl9Lwp59jrdMW3v9oU6hmKnP5jL33KbPpiHm+C9Tq9SnTALwDfd5+fEkFAldsIiYiawTriPFX jLZB4LO1Yg3+YCtFwIjO1cmExdmBdEpRHJkg1vsXbRNeKFiDUgEVMOv9FSzitdLQEr6WkMq2CDs7N ehYgcAuLIYNGrbQB6X8uRGQm8nUw1Nw5EAtfKvR5FaRTBOdvT3jdnhBrMycgj4yNZdD6xlPhnylCH MV9bGMt+eBCsWAwujA9wjO7f3W6HMclu5SOW/tcMlNWMe/eBw46pJstD60nS/zmCOzI/YVHi+VDfY BbXntEwEnLZCAH9i72e8+onW; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIQ-0013Z3-KI; Fri, 01 Oct 2021 12:05:46 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee , Tom Talpey Subject: [PATCH v5 10/20] ksmbd: fix transform header validation Date: Fri, 1 Oct 2021 14:04:11 +0200 Message-Id: <20211001120421.327245-11-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Validate that the transform and smb request headers are present before checking OriginalMessageSize and SessionId fields. Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Cc: Hyunchul Lee Reviewed-By: Tom Talpey Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2pdu.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index ec05d9dc6436..b06361313889 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8455,16 +8455,8 @@ int smb3_decrypt_req(struct ksmbd_work *work) unsigned int buf_data_size = pdu_length + 4 - sizeof(struct smb2_transform_hdr); struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; - unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize); int rc = 0; - sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); - if (!sess) { - pr_err("invalid session id(%llx) in transform header\n", - le64_to_cpu(tr_hdr->SessionId)); - return -ECONNABORTED; - } - if (pdu_length + 4 < sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { pr_err("Transform message is too small (%u)\n", @@ -8472,11 +8464,19 @@ int smb3_decrypt_req(struct ksmbd_work *work) return -ECONNABORTED; } - if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) { + if (pdu_length + 4 < + le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) { pr_err("Transform message is broken\n"); return -ECONNABORTED; } + sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); + if (!sess) { + pr_err("invalid session id(%llx) in transform header\n", + le64_to_cpu(tr_hdr->SessionId)); + return -ECONNABORTED; + } + iov[0].iov_base = buf; iov[0].iov_len = sizeof(struct smb2_transform_hdr); iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr); From patchwork Fri Oct 1 12:04:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 952C4C433EF for ; Fri, 1 Oct 2021 12:25:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7F84461A55 for ; Fri, 1 Oct 2021 12:25:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354359AbhJAM1i (ORCPT ); Fri, 1 Oct 2021 08:27:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230092AbhJAM1h (ORCPT ); Fri, 1 Oct 2021 08:27:37 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58BA8C061775 for ; Fri, 1 Oct 2021 05:25:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=Q0neQf3DKShcAntux8ELXSZVcbd+9OfbnnszLV4r0Y8=; b=Zw5/0nGZbPlJucB1qptaPkxzk8 krfqiLxTnZN33IcGEbUd2mTULVDbfni115ZP/jsHH+sxEYBkor3b+e3Hz8dxl63NcjTQ17oZME760 rZogi3wcKCTxf22aLZkwMPSWtJZtcNaqgiUaDCHirhaOwDTE6gIOXn5JbSfDRAVxoFCvkhzBLM+wv PsYZRvbhqJ6+VJb55E/EZV7h6o/etMKLtKaQm2GkvxFKqkwv7ODbvtMjNqalHQlbGScY3GRROO6+d 3V8fpYqQi+Ospd94Bi91wAMJL/7zydOMYX4WzW0VklQJ2Duxfch/h6J16DaqkKgcD4gbkkgSsFBzR nBTXza3V1scheKROZI/Hd/0Fsozf42f8o8XJpA/S0MK+xp7GMkJ4TjG/6cWgFuq+JQm8pqFziQki7 KgxWFWLVbLy4Iw4XkB41L4CXnlZjme7hEE/wwOzx+Tx3+SBSdLPHJDwYnf+IzoInb1ZxIlRNsJXF8 3YYLHrDndiXc9dxgcfvsukKp; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIR-0013Z3-4o; Fri, 01 Oct 2021 12:05:47 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 11/20] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Date: Fri, 1 Oct 2021 14:04:12 +0200 Message-Id: <20211001120421.327245-12-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 9edd9c161b27..2cc031c39514 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -329,17 +329,12 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) int ksmbd_smb2_check_message(struct ksmbd_work *work) { - struct smb2_pdu *pdu = work->request_buf; + struct smb2_pdu *pdu = ksmbd_req_buf_next(work); struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ __u32 len = get_rfc1002_len(pdu); - if (work->next_smb2_rcv_hdr_off) { - pdu = ksmbd_req_buf_next(work); - hdr = &pdu->hdr; - } - if (le32_to_cpu(hdr->NextCommand) > 0) { len = le32_to_cpu(hdr->NextCommand); } else if (work->next_smb2_rcv_hdr_off) { From patchwork Fri Oct 1 12:04:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530515 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75D7AC433F5 for ; Fri, 1 Oct 2021 12:25:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5D5786136A for ; Fri, 1 Oct 2021 12:25:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354245AbhJAM1H (ORCPT ); Fri, 1 Oct 2021 08:27:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353397AbhJAM1H (ORCPT ); Fri, 1 Oct 2021 08:27:07 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B2AFC061775 for ; Fri, 1 Oct 2021 05:25:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=KPOvTBMqIWQXb+ncVEi2iT+wEwy5e5gkeoEpe3EpiD0=; b=e5svH502atsydS70tDAU/kUbD/ yTK23CF4QXQ3ZpYkQH2Uxj5aSl6KQgQS8k29Vw7bsCZRObzNT56ktFhcr59TpxoejLd9x5F3UGdkh aog9ZbLpeCA2oqPAaO75WeAagU/3BD2X+2rkDMGVAfVIgldBCx2YPsMex7ZxMJkai1qWq/BF+w67W DDbDDoGNDNC7uEjx6hTT9bYle3W7Lxzan8FPnGv+m90VPu5Un9naV2V69SCB/Dy+xYTOtYrKO9ToD AUuT5CHAd+lgnWItNityI5fsMxijPZ5uo/QSuaR1RAWD7dkKNWBZe8ZvMSuOlePN87Na+C3OBVMQQ y73/Wa6xQqcdbfuKqFViDiVNRh4XC02IYYBKVWp4ZU1fQF5IiTu4BHCgsw9BdnSltdvodbVeUe2To BBy9kMcEZa9mi/6DclAMyEzEHLaos+SnSEtsu0sWSjZ7Ukvh0+YFH5vugB19sEpCz1E8wSH44Pxjj 3+ohG25XjX9Q1iutOwSrxf7y; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIR-0013Z3-LQ; Fri, 01 Oct 2021 12:05:47 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 12/20] ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() Date: Fri, 1 Oct 2021 14:04:13 +0200 Message-Id: <20211001120421.327245-13-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 707490ab1f4c..e1e5a071678e 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -132,7 +132,7 @@ int ksmbd_lookup_protocol_idx(char *str) */ int ksmbd_verify_smb_message(struct ksmbd_work *work) { - struct smb2_hdr *smb2_hdr = work->request_buf + work->next_smb2_rcv_hdr_off; + struct smb2_hdr *smb2_hdr = ksmbd_req_buf_next(work); struct smb_hdr *hdr; if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) From patchwork Fri Oct 1 12:04:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530539 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48C0CC433F5 for ; Fri, 1 Oct 2021 12:26:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 328B961A55 for ; Fri, 1 Oct 2021 12:26:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354363AbhJAM1q (ORCPT ); Fri, 1 Oct 2021 08:27:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354364AbhJAM1q (ORCPT ); Fri, 1 Oct 2021 08:27:46 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E98DAC061775 for ; Fri, 1 Oct 2021 05:26:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=skH0ba/C/5YHeOyjYMYNshVkPL7AAa9MhtVOWwxAoyg=; b=1vEOdG4+YuKAYtGEqI+RvE1oW6 WXpQYPeU/Xwl81ECV83fNYkFTmchzvOyAkGZvTittWRKjHJfAsAdfwNQNKVIPC28sb/RALExMQH1p O2ITDnJqmmYVp4w0+zORcm6GtRl+nDoUzo7CC6byuGhNQslhX0EQ8xjGgNpH5dc6wyoPRfAS3dWuT YPwyyxG7odLxM2qL0h7rTLC0nNUVUylYZJj1wSwh8OzVA+DMuE4AzQJ/wV99lcJkdiNSa7BKRWrgi l2HS1YKGrtAN+ycWRSejZbib7EK+Ms8Bzo9gcl2gjPp0ef8At+f2PfiruErysJd9aaFc8h0Ds/0J1 hQO1Xe/mC9VkNt/Brr8375fNp1IFIN3j8/FSzx5rHXyNWDhFCMXwURtLUAigMHfV8ZRHB1d9UG0wn jPn9ulUP9zdW92KEbpaUd5N0CBzHlGufrrq8y1wtp7+8kBj/FX3EE8dh+qRIWhYsxbfIU+IoVIJNQ 0zkZX9GjA3W0xmMa1acvq8Pc; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIS-0013Z3-AB; Fri, 01 Oct 2021 12:05:48 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 13/20] ksmbd: remove ksmbd_verify_smb_message() Date: Fri, 1 Oct 2021 14:04:14 +0200 Message-Id: <20211001120421.327245-14-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Another leftover from SMB1 support. Remove it and use ksmbd_verify_smb_message() directly in __process_request(). Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/server.c | 2 +- fs/ksmbd/smb_common.c | 24 ------------------------ fs/ksmbd/smb_common.h | 1 - 3 files changed, 1 insertion(+), 26 deletions(-) diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 2a2b2135bfde..328c4225cec1 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -114,7 +114,7 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, if (check_conn_state(work)) return SERVER_HANDLER_CONTINUE; - if (ksmbd_verify_smb_message(work)) + if (ksmbd_smb2_check_message(work)) return SERVER_HANDLER_ABORT; command = conn->ops->get_cmd_val(work); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index e1e5a071678e..4a283cd6d6e1 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -122,30 +122,6 @@ int ksmbd_lookup_protocol_idx(char *str) return -1; } -/** - * ksmbd_verify_smb_message() - check for valid smb2 request header - * @work: smb work - * - * check for valid smb signature and packet direction(request/response) - * - * Return: 0 on success, otherwise -EINVAL - */ -int ksmbd_verify_smb_message(struct ksmbd_work *work) -{ - struct smb2_hdr *smb2_hdr = ksmbd_req_buf_next(work); - struct smb_hdr *hdr; - - if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) - return ksmbd_smb2_check_message(work); - - hdr = work->request_buf; - if (*(__le32 *)hdr->Protocol == SMB1_PROTO_NUMBER && - hdr->Command == SMB_COM_NEGOTIATE) - return 0; - - return -EINVAL; -} - /** * ksmbd_smb_request() - check for valid smb request type * @conn: connection instance diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 6e79e7577f6b..782c06292020 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -488,7 +488,6 @@ int ksmbd_max_protocol(void); int ksmbd_lookup_protocol_idx(char *str); -int ksmbd_verify_smb_message(struct ksmbd_work *work); bool ksmbd_smb_request(struct ksmbd_conn *conn); int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); From patchwork Fri Oct 1 12:04:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EF62C433EF for ; Fri, 1 Oct 2021 12:25:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 06D606136A for ; Fri, 1 Oct 2021 12:25:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354356AbhJAM1N (ORCPT ); Fri, 1 Oct 2021 08:27:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353431AbhJAM1M (ORCPT ); Fri, 1 Oct 2021 08:27:12 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D0CEC061775 for ; Fri, 1 Oct 2021 05:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=kAtciHOP6QyrU99e5spGof+UvOvqxpuqqrQn0N/XcRs=; b=D2QRkrU0wRYoXCzz4ttemaFX76 ezSv2F7Cxjr1joFuWgHlB+07aLkTZ1L4a5KSslvABYuP40sn7uIaql0zeQBRYSRewmuzgtYPKAIps rCHy5wxcEWAjOFOZAW0lJO3aZnV7EXXqfvxzo33iRdO5MgyusOqeJCt7m1BflyhIDa6dhdbWbRQUW Ic60G6XQYoJhpFEpym1+SbsZWjNjgsvOLtqj1dRC88j6xvpwjYmB95OYwgYpR2kzVV/MkEaUHSbiX WkPiCUnihm5ebY4iQX1DdfQSCMmiNdXCtngFAEwSl0w55dTsb4ztSjFakLcgIMlI5FwrWTd15ciFI AoObdh8L96lqkNOsqHByNgDhmQfJrDNzVsR5mYBAZ8QxE6issnx7PSFp1j/d8V860giRcEYsIF25r 6AjJmfy2LvOk1/pSTG1f2CoxjXhiik+riH1mlvIYIcYLvqgaXONLQ3mfrMhxRYb5lo5YC3/l602Al vHw/WFyWik3fYISgFKivsoiZ; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIS-0013Z3-Ty; Fri, 01 Oct 2021 12:05:49 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 14/20] ksmbd: add ksmbd_smb2_cur_pdu_buflen() Date: Fri, 1 Oct 2021 14:04:15 +0200 Message-Id: <20211001120421.327245-15-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 25 +++++++++++++++++++++++++ fs/ksmbd/smb2pdu.h | 1 + 2 files changed, 26 insertions(+) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 2cc031c39514..76f53db7db8d 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -427,3 +427,28 @@ int smb2_negotiate_request(struct ksmbd_work *work) { return ksmbd_smb_negotiate_common(work, SMB2_NEGOTIATE_HE); } + +/** + * ksmbd_smb2_cur_pdu_buflen() - Get len of current SMB2 PDU buffer + * This returns the lenght including any possible padding. + * @work: smb work containing request buffer + */ +unsigned int ksmbd_smb2_cur_pdu_buflen(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr = ksmbd_req_buf_next(work); + unsigned int buf_len; + unsigned int pdu_len; + + if (hdr->NextCommand != 0) { + /* + * hdr->NextCommand has already been validated by + * init_chained_smb2_rsp(). + */ + return __le32_to_cpu(hdr->NextCommand); + } + + buf_len = get_rfc1002_len(work->request_buf); + pdu_len = buf_len - work->next_smb2_rcv_hdr_off; + return pdu_len; +} + diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index a6dec5ec6a54..c5fa8256b0bb 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1680,6 +1680,7 @@ int smb2_set_rsp_credits(struct ksmbd_work *work); /* smb2 misc functions */ int ksmbd_smb2_check_message(struct ksmbd_work *work); +unsigned int ksmbd_smb2_cur_pdu_buflen(struct ksmbd_work *work); /* smb2 command handlers */ int smb2_handle_negotiate(struct ksmbd_work *work); From patchwork Fri Oct 1 12:04:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF576C433EF for ; Fri, 1 Oct 2021 12:25:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AE1616136A for ; Fri, 1 Oct 2021 12:25:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353430AbhJAM1T (ORCPT ); Fri, 1 Oct 2021 08:27:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353431AbhJAM1T (ORCPT ); Fri, 1 Oct 2021 08:27:19 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18BF6C061775 for ; Fri, 1 Oct 2021 05:25:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=YnmZ4rBj6/U25JQdxacF0yp+BjlyrxXq7IN5+KtPqds=; b=lraTKNdJ+oAkjoOYoTjUIBncel YFHm+95QnxJiMKoq6I41zOClYDFGtnKFwx+iKq0nuLvXjhlkXaYKpXIew+1qwmbgA3xA6oulsqj5R nC9QE+R+8vzxQK6eZwMUltWZvp2cByWg1T9BTG6DsBD0afEdoq1Cwr08l8od+hpSyb7n46176hJzD T4qzZFuY9Ku1v9hko8X6urk46tOdVl6HtX8x9McIvnwwWJYuTV7MqYZc5lAyV0rDV26hVzZKnHMl8 V2CMPDo69h8zN2S2tod1AkTM4Pxoi0JNo0+5mdxtgWOUEnUZxMlH8GQzOWLetbZBSbP925pl2yBO+ 2Ow0b+UECkmbEaLSHDQ/CmrwWzkz7q7TfR68K2eZQLz+06gJNWI/Jy/DOj+uOj5GVWtEy9S65xDGl ZBQrb7g6mLywT9UEj26otwOcfhh3SbPfjabkHDC2ofauOC/9XbmIBVIpc1LSoNW5P9n5TIHM7QnKE KJdWGzwXjTI0+Ut7JWkLn3wX; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIT-0013Z3-Hf; Fri, 01 Oct 2021 12:05:49 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 15/20] ksmbd: use ksmbd_smb2_cur_pdu_buflen() in ksmbd_smb2_check_message() Date: Fri, 1 Oct 2021 14:04:16 +0200 Message-Id: <20211001120421.327245-16-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 76f53db7db8d..7ed266eb6c5e 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -333,14 +333,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ - __u32 len = get_rfc1002_len(pdu); - - if (le32_to_cpu(hdr->NextCommand) > 0) { - len = le32_to_cpu(hdr->NextCommand); - } else if (work->next_smb2_rcv_hdr_off) { - len -= work->next_smb2_rcv_hdr_off; - len = round_up(len, 8); - } + __u32 len = ksmbd_smb2_cur_pdu_buflen(work); if (check_smb2_hdr(hdr)) return 1; @@ -395,7 +388,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) * Some windows servers (win2016) will pad also the final * PDU in a compound to 8 bytes. */ - if (ALIGN(clc_len, 8) == len) + if (ALIGN(clc_len, 8) == ALIGN(len, 8)) return 0; /* From patchwork Fri Oct 1 12:04:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530509 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52C11C4332F for ; Fri, 1 Oct 2021 12:25:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 38AB96136A for ; Fri, 1 Oct 2021 12:25:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230073AbhJAM06 (ORCPT ); Fri, 1 Oct 2021 08:26:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354351AbhJAM0z (ORCPT ); Fri, 1 Oct 2021 08:26:55 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6091CC061775 for ; Fri, 1 Oct 2021 05:25:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=gcOkDaciJ1NsJos0u7ZxZoxHkGE3C4YqugB+34yYavo=; b=vKCGu/28skQbnfh99qwUM8S51Z XNw74VOAx+7SovGYfWueL9CbaMtZOLuUjiGeO/zkCERKfY5hW5NSGxZ09gXFuVQjFVngAhpLFv3qT g+BmND9Fez/kNMAD0SSf0AK4I87PMvFm87thPVhadC/7hToXgzvIL0My2GxjgsmHqo6fbwRKyO25t 40D/xR2kscqV9jkY56vxOmJQJtCl9Yjef9XCuikJ6ALLJnyBaTI1mUBr8HjIabwJX1w7h9BxDk/Yw C2enCAbAMj8kixNJXAs6oLDKhcRGcJ5gn7Iyp6fjzSxdZ16cUTtZ9ph9v43mzLgZ22WdQr20qhwmT u4s60TGeUeOUd5I6yZk53T6EV6Vuc8lhHozoTEhIW2Lm/Zs26t+ubL2tu2kaTcs/NSGCER5ZNR5EB h3YUQlaEKLvN1FdhNhlW+4eaXImSpQtYkmo6zMZHz5KgwuhZLXRSUx56XtLEWJm+zqcvcEwvIM1TY ET2cXf/M9X3VVC5AnRc4AgAA; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIU-0013Z3-2N; Fri, 01 Oct 2021 12:05:50 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 16/20] ksmbd: check PDU len is at least header plus body size in ksmbd_smb2_check_message() Date: Fri, 1 Oct 2021 14:04:17 +0200 Message-Id: <20211001120421.327245-17-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Note: we already have the same check in is_chained_smb2_message(), but there it only applies to compound requests, so we have to repeat the check here to cover both cases. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 7ed266eb6c5e..541b39b7a84b 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -338,6 +338,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) if (check_smb2_hdr(hdr)) return 1; + if (len < sizeof(struct smb2_pdu) - 4) + return 1; + if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { ksmbd_debug(SMB, "Illegal structure size %u\n", le16_to_cpu(hdr->StructureSize)); From patchwork Fri Oct 1 12:04:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2DC7C433EF for ; Fri, 1 Oct 2021 12:25:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D500B61A55 for ; Fri, 1 Oct 2021 12:25:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230092AbhJAM1k (ORCPT ); Fri, 1 Oct 2021 08:27:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354361AbhJAM1j (ORCPT ); Fri, 1 Oct 2021 08:27:39 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7743C061775 for ; Fri, 1 Oct 2021 05:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=ImcoTzW6T/0ToK3dGY1uZiG8CTNii1vrIM1lJjydl40=; b=BR6XY3RjpZqBLeM6z4E2fBlx1A PoTZVnb34oOR86M1V5YKft6ba72m61BDVA0rbrVSNTQt9fKpenyrBh1RRa3htPax63We3OFHUF4qK 0S4Uc8Q/E7Of5SeTWMNQnYntFVNhQ2mNwjy4ZJrP7qsSXFaX8epCrYhG8xa13sPP/qUdE2MVNdcQt 1dqRG49z5WFy7hpSX/EUEXPhSPNW8JJhrw2kxmUqdJhi9T5SeuUsqQvrOyXvnJFRuJP4ZaMwUbFQU whCMNnxb49I95KJMLGSVx5IwY/rTUpEC42vogKB73pT2z60TQ8XGYuMBMre6vKJhkro+BQVtaa3Ga t7jE9ZNXyspp702lrACI8aslRLg+vSinDfD99GVK/xRy1McXgDIChM+XQzgzbPYEoRnBj7RP8MJ3v ofpo/MxXGYFCINxkzt8WCQ7eA/OllkJMMG/7MmlaXUJTxexf0n4P687hQEK3aZ2hJFcpeveqhqC0Y i8XRv0+aOEOa2v+1ajz5Wocf; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIU-0013Z3-Ji; Fri, 01 Oct 2021 12:05:50 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 17/20] ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() Date: Fri, 1 Oct 2021 14:04:18 +0200 Message-Id: <20211001120421.327245-18-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2pdu.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b06361313889..7d3344b5519c 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -94,12 +94,13 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn int smb2_get_ksmbd_tcon(struct ksmbd_work *work) { struct smb2_hdr *req_hdr = work->request_buf; + unsigned int cmd = le16_to_cpu(req_hdr->Command); int tree_id; work->tcon = NULL; - if (work->conn->ops->get_cmd_val(work) == SMB2_TREE_CONNECT_HE || - work->conn->ops->get_cmd_val(work) == SMB2_CANCEL_HE || - work->conn->ops->get_cmd_val(work) == SMB2_LOGOFF_HE) { + if (cmd == SMB2_TREE_CONNECT_HE || + cmd == SMB2_CANCEL_HE || + cmd == SMB2_LOGOFF_HE) { ksmbd_debug(SMB, "skip to check tree connect request\n"); return 0; } From patchwork Fri Oct 1 12:04:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7ECC6C433EF for ; Fri, 1 Oct 2021 12:25:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6739C61A55 for ; Fri, 1 Oct 2021 12:25:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354358AbhJAM1Z (ORCPT ); Fri, 1 Oct 2021 08:27:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53340 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230092AbhJAM1Z (ORCPT ); Fri, 1 Oct 2021 08:27:25 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8D42C061775 for ; Fri, 1 Oct 2021 05:25:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=XjLAfYtbAJ9nqNCj/XwXpc6ybkGmyX2pqfFAxoM+IBQ=; b=0SokKsw87EKCF6ePhg/6D/iec2 Rr1Rpyw9Xra4p1OTTynSVIiULkJPuJT8jAJmml0Tdz+1WtHVXgYP3ZU2KJU95ybM4EXSQsMIaSPps HheXlDoxs8YqURIHwbUh3pP9Ye4VnFH6VPzIAoMflljRzLjt+zWEQKjVHDz1Q4gmjWUXgRZsMgacT GHxJZm+buTzWxsoyDEKPGE4QodaFKaWinsTpa/v9JiOqd3QH0zOZBRKsqlWw3jBtS7U2W1NwW+/cm qX/LvdJw+zSdJ+Lm8a7hyg9LRYGaQkxRd5uf8ko/FnIOBYkQqOqOQHJyHmZEWYpYVp7zBjAiTogAo Js66CjlEZMYLZKVCzRN9XQ9DXwA/RxBeLKggN0rFflnWR1acIDiPwqTa441mjOfi2iHvb8GKKOZjB /L1TI+zm2Dw5C3aCDXNSqHpQPI/fQ58a9O0YwDB0kSOH2/HZHesby8rmQnU5HxL0EDNp4QeLW9Uzq QwOAGC8qG6iRxjxeTWSYKMzU; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIV-0013Z3-4e; Fri, 01 Oct 2021 12:05:51 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 18/20] ksmdb: make smb2_get_ksmbd_tcon() callable with chained PDUs Date: Fri, 1 Oct 2021 14:04:19 +0200 Message-Id: <20211001120421.327245-19-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Also track the tcon id of compound requests. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/ksmbd_work.h | 1 + fs/ksmbd/smb2pdu.c | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h index f7156bc50049..91363d508909 100644 --- a/fs/ksmbd/ksmbd_work.h +++ b/fs/ksmbd/ksmbd_work.h @@ -46,6 +46,7 @@ struct ksmbd_work { u64 compound_fid; u64 compound_pfid; u64 compound_sid; + u32 compound_tid; const struct cred *saved_cred; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7d3344b5519c..5b1fead05c49 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -98,6 +98,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) int tree_id; work->tcon = NULL; + work->compound_tid = 0; + if (cmd == SMB2_TREE_CONNECT_HE || cmd == SMB2_CANCEL_HE || cmd == SMB2_LOGOFF_HE) { @@ -110,13 +112,18 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) return -ENOENT; } - tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); + if (req_hdr->Flags & SMB2_FLAGS_RELATED_OPERATIONS) + tree_id = work->compound_tid; + else + tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); + work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); if (!work->tcon) { pr_err("Invalid tid %d\n", tree_id); return -EINVAL; } + work->compound_tid = tree_id; return 1; } From patchwork Fri Oct 1 12:04:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530537 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 539F5C433F5 for ; Fri, 1 Oct 2021 12:26:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3A7906136A for ; Fri, 1 Oct 2021 12:26:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354361AbhJAM1n (ORCPT ); Fri, 1 Oct 2021 08:27:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354363AbhJAM1n (ORCPT ); Fri, 1 Oct 2021 08:27:43 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEE60C061775 for ; Fri, 1 Oct 2021 05:25:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=nx+VSDjPAv36NdVeMQh27Wf+hqRz60RvTpdQyV8FkwQ=; b=PokOTgRGPPFSyKBDYozdry3njS 8qfvXEbyN7uaSpPjZbb7LUWx5W/Qu5Ld1o9Y3WQeyjSOFOy6KtcHaGl3ZIA7Qguq8eqmsgDB906mr SlloSqF/zhUeigkV7j/lrLNhxjfc2VB2vOp3dQqaVWeN7GIF/uFa1Ie1HnsLP9lhWJRzk91VPeHDp 4tsvwBuOlvekbykNJEF7ZdgHKv3dDG0RXf2qqIv0rEqILL1F+4SdlEk999JEKdN/Li9yor0zYwPzj oTfPNgYORzW9qomtNZANbbiiC5T9jNmvjQr/OF0ICw9FIYx8gJIxXAz4DRhSQE6UGhVDdFsXWNhUd AtTjsSrIp7FnjPDT5DDn7hz99sk12OCdAV4r1t9aPiCkejzMis6ypkCcpaehLBpqnM/Q53CJGn9rX mV2wsJBAoB21qULrGIT0a9e3KbdJjMw6ENZ50BUNBqs2BqDXvWDregA5+8WoENL9aQHiz5A2ZsTX7 bNL0wFP3Ivjqn+t8zB903Z19; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIV-0013Z3-Ls; Fri, 01 Oct 2021 12:05:51 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 19/20] ksmbd: make smb2_check_user_session() callabe for compound PDUs Date: Fri, 1 Oct 2021 14:04:20 +0200 Message-Id: <20211001120421.327245-20-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2pdu.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 5b1fead05c49..ef551e3633db 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -411,7 +411,6 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) work->compound_pfid = le64_to_cpu(((struct smb2_create_rsp *)rsp)-> PersistentFileId); - work->compound_sid = le64_to_cpu(rsp->SessionId); } len = get_rfc1002_len(work->response_buf) - work->next_smb2_rsp_hdr_off; @@ -592,6 +591,8 @@ int smb2_check_user_session(struct ksmbd_work *work) unsigned long long sess_id; work->sess = NULL; + work->compound_sid = 0; + /* * SMB2_ECHO, SMB2_NEGOTIATE, SMB2_SESSION_SETUP command do not * require a session id, so no need to validate user session's for @@ -604,11 +605,17 @@ int smb2_check_user_session(struct ksmbd_work *work) if (!ksmbd_conn_good(work)) return -EINVAL; - sess_id = le64_to_cpu(req_hdr->SessionId); + if (req_hdr->Flags & SMB2_FLAGS_RELATED_OPERATIONS) + sess_id = work->compound_sid; + else + sess_id = le64_to_cpu(req_hdr->SessionId); + /* Check for validity of user session */ work->sess = ksmbd_session_lookup_all(conn, sess_id); - if (work->sess) + if (work->sess) { + work->compound_sid = sess_id; return 1; + } ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); return -EINVAL; } From patchwork Fri Oct 1 12:04:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12530529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7ECD2C433FE for ; Fri, 1 Oct 2021 12:25:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6C8E76136A for ; Fri, 1 Oct 2021 12:25:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354255AbhJAM1b (ORCPT ); Fri, 1 Oct 2021 08:27:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230092AbhJAM1b (ORCPT ); Fri, 1 Oct 2021 08:27:31 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F08CC061775 for ; Fri, 1 Oct 2021 05:25:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=2Dd7ebzVyD7CeByR9fNJuA681xSwAX4KEnum8fBjft8=; b=C3++zGAMYBSV2YyoDiKrANYcio oQGhkFyJJE2jYdyH4hJRyhEVCYy8/O/uZt0rLDWpj/Yl8YcVFOKnfXmXv1aCsA2Fo1247iv6xlsrk GyJPLZgLxWjyPdv3EodF6sTYbS5iM1onHyBVxCaxO8QC9acRrKMHbJ7zYO5Z3Yvlsb5uBLFAWFIrN 1G8uRx/YxojJ0a9iNnIYZ/HHqSR2lditoOfj4Z7sb/x0O9msmPNBKN0Hrb7kz5T5iqiD+xBN1dgrH Oo98eRVU85i7sD6oKS/zviNQ2b5nBqgmqXC/p29zCs0OYVdIIsvrRYbJZNrbyPYt95kP28mF1Lh/B bYcMdOfDfIMg8ke6qm2XMon/IpmSELxxz3Fv1/eoWAeWLCh02UVLuVTMifO94iwNMU3+2Qeq0Q/cr PcpW2ZVIoElqeRJckm9kKJMmZfias1c5m5WBvIvJJeRtsk2e2kf90um6ewLBz/FRgPb8vMatQ5mCR MfqN2g9n0allN+z2ciw1mgsy; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWHIW-0013Z3-6G; Fri, 01 Oct 2021 12:05:52 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v5 20/20] ksmdb: move session and tcon validation to ksmbd_smb2_check_message() Date: Fri, 1 Oct 2021 14:04:21 +0200 Message-Id: <20211001120421.327245-21-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211001120421.327245-1-slow@samba.org> References: <20211001120421.327245-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org For compound non-related operations session id and tree id must be taken from earch PDU. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/server.c | 17 ----------------- fs/ksmbd/smb2misc.c | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 328c4225cec1..8b638c701b7f 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -184,23 +184,6 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, goto send; } - if (conn->ops->check_user_session) { - rc = conn->ops->check_user_session(work); - if (rc < 0) { - command = conn->ops->get_cmd_val(work); - conn->ops->set_rsp_status(work, - STATUS_USER_SESSION_DELETED); - goto send; - } else if (rc > 0) { - rc = conn->ops->get_ksmbd_tcon(work); - if (rc < 0) { - conn->ops->set_rsp_status(work, - STATUS_NETWORK_NAME_DELETED); - goto send; - } - } - } - do { rc = __process_request(work, conn, &command); if (rc == SERVER_HANDLER_ABORT) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 541b39b7a84b..d0a3fbf7bc89 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -334,6 +334,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) int command; __u32 clc_len; /* calculated length */ __u32 len = ksmbd_smb2_cur_pdu_buflen(work); + int rc; if (check_smb2_hdr(hdr)) return 1; @@ -416,6 +417,25 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } + if (work->conn->ops->check_user_session == NULL) + return 0; + + rc = work->conn->ops->check_user_session(work); + if (rc < 0) { + work->conn->ops->set_rsp_status(work, + STATUS_USER_SESSION_DELETED); + return 1; + } + if (rc == 0) + return 0; + + rc = work->conn->ops->get_ksmbd_tcon(work); + if (rc < 0) { + work->conn->ops->set_rsp_status(work, + STATUS_NETWORK_NAME_DELETED); + return 1; + } + return 0; }