From patchwork Wed Sep 14 02:17:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhang Xiaoxu X-Patchwork-Id: 12975443 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5583CECAAD8 for ; Wed, 14 Sep 2022 01:16:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229659AbiINBQ4 (ORCPT ); Tue, 13 Sep 2022 21:16:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48114 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229603AbiINBQz (ORCPT ); Tue, 13 Sep 2022 21:16:55 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3430A61B3E for ; Tue, 13 Sep 2022 18:16:54 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MS2Pz0yR4zlVl9; Wed, 14 Sep 2022 09:12:55 +0800 (CST) Received: from localhost.localdomain (10.175.101.6) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 09:16:52 +0800 From: Zhang Xiaoxu To: , , , , , , , , , , Subject: [PATCH v6 1/5] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Date: Wed, 14 Sep 2022 10:17:37 +0800 Message-ID: <20220914021741.2672982-2-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> References: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect, then the message length is larger than expected. This maybe leak some info through network because not initialize the message body. After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is reduced from 28 bytes to 26 bytes. Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") Signed-off-by: Zhang Xiaoxu Cc: Reviewed-by: Tom Talpey --- fs/cifs/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6352ab32c7e7..223056097b54 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1169,9 +1169,9 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) pneg_inbuf->Dialects[0] = cpu_to_le16(server->vals->protocol_id); pneg_inbuf->DialectCount = cpu_to_le16(1); - /* structure is big enough for 3 dialects, sending only 1 */ + /* structure is big enough for 4 dialects, sending only 1 */ inbuflen = sizeof(*pneg_inbuf) - - sizeof(pneg_inbuf->Dialects[0]) * 2; + sizeof(pneg_inbuf->Dialects[0]) * 3; } rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, From patchwork Wed Sep 14 02:17:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhang Xiaoxu X-Patchwork-Id: 12975444 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38323C6FA86 for ; Wed, 14 Sep 2022 01:16:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229622AbiINBQ5 (ORCPT ); Tue, 13 Sep 2022 21:16:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229531AbiINBQz (ORCPT ); Tue, 13 Sep 2022 21:16:55 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00B6361B28 for ; Tue, 13 Sep 2022 18:16:54 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4MS2QD3435zmVNQ; Wed, 14 Sep 2022 09:13:08 +0800 (CST) Received: from localhost.localdomain (10.175.101.6) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 09:16:52 +0800 From: Zhang Xiaoxu To: , , , , , , , , , , Subject: [PATCH v6 2/5] ksmbd: Fix wrong return value in smb2_ioctl() Date: Wed, 14 Sep 2022 10:17:38 +0800 Message-ID: <20220914021741.2672982-3-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> References: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org When the {in, out}_buf_len is less than the required, should goto out to initialize the status in the response header. Fixes: f7db8fd03a4bc ("ksmbd: add validation in smb2_ioctl") Signed-off-by: Zhang Xiaoxu Cc: --- fs/ksmbd/smb2pdu.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index c49f65146ab3..b56d7688ccf1 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7640,11 +7640,15 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) - return -EINVAL; + if (in_buf_len < sizeof(struct validate_negotiate_info_req)) { + ret = -EINVAL; + goto out; + } - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) - return -EINVAL; + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { + ret = -EINVAL; + goto out; + } ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0], From patchwork Wed Sep 14 02:17:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhang Xiaoxu X-Patchwork-Id: 12975445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFFA9C6FA8B for ; Wed, 14 Sep 2022 01:16:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229531AbiINBQ6 (ORCPT ); Tue, 13 Sep 2022 21:16:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229638AbiINBQ4 (ORCPT ); Tue, 13 Sep 2022 21:16:56 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 653DA61D40 for ; Tue, 13 Sep 2022 18:16:55 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MS2Q02636zlVk4; Wed, 14 Sep 2022 09:12:56 +0800 (CST) Received: from localhost.localdomain (10.175.101.6) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 09:16:53 +0800 From: Zhang Xiaoxu To: , , , , , , , , , , Subject: [PATCH v6 3/5] ksmbd: Fix FSCTL_VALIDATE_NEGOTIATE_INFO message length check in smb2_ioctl() Date: Wed, 14 Sep 2022 10:17:39 +0800 Message-ID: <20220914021741.2672982-4-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> References: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org The structure size includes 4 dialect slots, but the protocol does not require the client to send all 4. So this allows the negotiation to not fail. Fixes: c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") Signed-off-by: Zhang Xiaoxu Cc: Reviewed-by: Tom Talpey --- fs/ksmbd/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b56d7688ccf1..09ae601e64f9 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7640,7 +7640,8 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) { + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { ret = -EINVAL; goto out; } From patchwork Wed Sep 14 02:17:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhang Xiaoxu X-Patchwork-Id: 12975447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AE8FC6FA8E for ; Wed, 14 Sep 2022 01:16:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229721AbiINBQ6 (ORCPT ); Tue, 13 Sep 2022 21:16:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229603AbiINBQ5 (ORCPT ); Tue, 13 Sep 2022 21:16:57 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECAF761B33 for ; Tue, 13 Sep 2022 18:16:55 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MS2RT2YkpznV7H; Wed, 14 Sep 2022 09:14:13 +0800 (CST) Received: from localhost.localdomain (10.175.101.6) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 09:16:53 +0800 From: Zhang Xiaoxu To: , , , , , , , , , , Subject: [PATCH v6 4/5] cifs: Add neg dialects info to smb version values Date: Wed, 14 Sep 2022 10:17:40 +0800 Message-ID: <20220914021741.2672982-5-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> References: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org The dialects information when negotiate with server is depends on the smb version, add it to the version values and make code simple. Signed-off-by: Zhang Xiaoxu Acked-by: Tom Talpey --- fs/cifs/cifsglob.h | 2 ++ fs/cifs/smb2ops.c | 35 ++++++++++++++++++++++++++++ fs/cifs/smb2pdu.c | 58 +++++++--------------------------------------- 3 files changed, 46 insertions(+), 49 deletions(-) diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index ae7f571a7dba..376421b63738 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -553,6 +553,8 @@ struct smb_version_values { __u16 signing_enabled; __u16 signing_required; size_t create_lease_size; + int neg_dialect_cnt; + __le16 *neg_dialects; }; #define HEADER_SIZE(server) (server->vals->header_size) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 421be43af425..e1407124c761 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -5664,6 +5664,12 @@ struct smb_version_values smb21_values = { .create_lease_size = sizeof(struct create_lease), }; +static __le16 smb3any_neg_dialects[] = { + cpu_to_le16(SMB30_PROT_ID), + cpu_to_le16(SMB302_PROT_ID), + cpu_to_le16(SMB311_PROT_ID) +}; + struct smb_version_values smb3any_values = { .version_string = SMB3ANY_VERSION_STRING, .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */ @@ -5683,6 +5689,15 @@ struct smb_version_values smb3any_values = { .signing_enabled = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED, .signing_required = SMB2_NEGOTIATE_SIGNING_REQUIRED, .create_lease_size = sizeof(struct create_lease_v2), + .neg_dialect_cnt = ARRAY_SIZE(smb3any_neg_dialects), + .neg_dialects = smb3any_neg_dialects, +}; + +static __le16 smbdefault_neg_dialects[] = { + cpu_to_le16(SMB21_PROT_ID), + cpu_to_le16(SMB30_PROT_ID), + cpu_to_le16(SMB302_PROT_ID), + cpu_to_le16(SMB311_PROT_ID) }; struct smb_version_values smbdefault_values = { @@ -5704,6 +5719,12 @@ struct smb_version_values smbdefault_values = { .signing_enabled = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED, .signing_required = SMB2_NEGOTIATE_SIGNING_REQUIRED, .create_lease_size = sizeof(struct create_lease_v2), + .neg_dialect_cnt = ARRAY_SIZE(smbdefault_neg_dialects), + .neg_dialects = smbdefault_neg_dialects, +}; + +static __le16 smb30_neg_dialects[] = { + cpu_to_le16(SMB30_PROT_ID), }; struct smb_version_values smb30_values = { @@ -5725,6 +5746,12 @@ struct smb_version_values smb30_values = { .signing_enabled = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED, .signing_required = SMB2_NEGOTIATE_SIGNING_REQUIRED, .create_lease_size = sizeof(struct create_lease_v2), + .neg_dialect_cnt = ARRAY_SIZE(smb30_neg_dialects), + .neg_dialects = smb30_neg_dialects, +}; + +static __le16 smb302_neg_dialects[] = { + cpu_to_le16(SMB302_PROT_ID), }; struct smb_version_values smb302_values = { @@ -5746,6 +5773,12 @@ struct smb_version_values smb302_values = { .signing_enabled = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED, .signing_required = SMB2_NEGOTIATE_SIGNING_REQUIRED, .create_lease_size = sizeof(struct create_lease_v2), + .neg_dialect_cnt = ARRAY_SIZE(smb302_neg_dialects), + .neg_dialects = smb302_neg_dialects, +}; + +static __le16 smb311_neg_dialects[] = { + cpu_to_le16(SMB311_PROT_ID), }; struct smb_version_values smb311_values = { @@ -5767,4 +5800,6 @@ struct smb_version_values smb311_values = { .signing_enabled = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED, .signing_required = SMB2_NEGOTIATE_SIGNING_REQUIRED, .create_lease_size = sizeof(struct create_lease_v2), + .neg_dialect_cnt = ARRAY_SIZE(smb311_neg_dialects), + .neg_dialects = smb311_neg_dialects, }; diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 223056097b54..482ed480fbc6 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -897,27 +897,10 @@ SMB2_negotiate(const unsigned int xid, memset(server->preauth_sha_hash, 0, SMB2_PREAUTH_HASH_SIZE); memset(ses->preauth_sha_hash, 0, SMB2_PREAUTH_HASH_SIZE); - if (strcmp(server->vals->version_string, - SMB3ANY_VERSION_STRING) == 0) { - req->Dialects[0] = cpu_to_le16(SMB30_PROT_ID); - req->Dialects[1] = cpu_to_le16(SMB302_PROT_ID); - req->Dialects[2] = cpu_to_le16(SMB311_PROT_ID); - req->DialectCount = cpu_to_le16(3); - total_len += 6; - } else if (strcmp(server->vals->version_string, - SMBDEFAULT_VERSION_STRING) == 0) { - req->Dialects[0] = cpu_to_le16(SMB21_PROT_ID); - req->Dialects[1] = cpu_to_le16(SMB30_PROT_ID); - req->Dialects[2] = cpu_to_le16(SMB302_PROT_ID); - req->Dialects[3] = cpu_to_le16(SMB311_PROT_ID); - req->DialectCount = cpu_to_le16(4); - total_len += 8; - } else { - /* otherwise send specific dialect */ - req->Dialects[0] = cpu_to_le16(server->vals->protocol_id); - req->DialectCount = cpu_to_le16(1); - total_len += 2; - } + req->DialectCount = cpu_to_le16(server->vals->neg_dialect_cnt); + memcpy(req->Dialects, server->vals->neg_dialects, + sizeof(__le16) * server->vals->neg_dialect_cnt); + total_len += sizeof(__le16) * server->vals->neg_dialect_cnt; /* only one of SMB2 signing flags may be set in SMB2 request */ if (ses->sign) @@ -1145,34 +1128,11 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) else pneg_inbuf->SecurityMode = 0; - - if (strcmp(server->vals->version_string, - SMB3ANY_VERSION_STRING) == 0) { - pneg_inbuf->Dialects[0] = cpu_to_le16(SMB30_PROT_ID); - pneg_inbuf->Dialects[1] = cpu_to_le16(SMB302_PROT_ID); - pneg_inbuf->Dialects[2] = cpu_to_le16(SMB311_PROT_ID); - pneg_inbuf->DialectCount = cpu_to_le16(3); - /* SMB 2.1 not included so subtract one dialect from len */ - inbuflen = sizeof(*pneg_inbuf) - - (sizeof(pneg_inbuf->Dialects[0])); - } else if (strcmp(server->vals->version_string, - SMBDEFAULT_VERSION_STRING) == 0) { - pneg_inbuf->Dialects[0] = cpu_to_le16(SMB21_PROT_ID); - pneg_inbuf->Dialects[1] = cpu_to_le16(SMB30_PROT_ID); - pneg_inbuf->Dialects[2] = cpu_to_le16(SMB302_PROT_ID); - pneg_inbuf->Dialects[3] = cpu_to_le16(SMB311_PROT_ID); - pneg_inbuf->DialectCount = cpu_to_le16(4); - /* structure is big enough for 4 dialects */ - inbuflen = sizeof(*pneg_inbuf); - } else { - /* otherwise specific dialect was requested */ - pneg_inbuf->Dialects[0] = - cpu_to_le16(server->vals->protocol_id); - pneg_inbuf->DialectCount = cpu_to_le16(1); - /* structure is big enough for 4 dialects, sending only 1 */ - inbuflen = sizeof(*pneg_inbuf) - - sizeof(pneg_inbuf->Dialects[0]) * 3; - } + pneg_inbuf->DialectCount = cpu_to_le16(server->vals->neg_dialect_cnt); + memcpy(pneg_inbuf->Dialects, server->vals->neg_dialects, + server->vals->neg_dialect_cnt * sizeof(__le16)); + inbuflen = offsetof(struct validate_negotiate_info_req, Dialects) + + sizeof(pneg_inbuf->Dialects[0]) * server->vals->neg_dialect_cnt; rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, FSCTL_VALIDATE_NEGOTIATE_INFO, From patchwork Wed Sep 14 02:17:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhang Xiaoxu X-Patchwork-Id: 12975446 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D685C6FA90 for ; Wed, 14 Sep 2022 01:16:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229603AbiINBQ6 (ORCPT ); Tue, 13 Sep 2022 21:16:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229664AbiINBQ5 (ORCPT ); Tue, 13 Sep 2022 21:16:57 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86E9E61B28 for ; Tue, 13 Sep 2022 18:16:56 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.53]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MS2Q13J67zlVp1; Wed, 14 Sep 2022 09:12:57 +0800 (CST) Received: from localhost.localdomain (10.175.101.6) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 14 Sep 2022 09:16:54 +0800 From: Zhang Xiaoxu To: , , , , , , , , , , Subject: [PATCH v6 5/5] cifs: Refactor dialects in validate_negotiate_info_req to variable array Date: Wed, 14 Sep 2022 10:17:41 +0800 Message-ID: <20220914021741.2672982-6-zhangxiaoxu5@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> References: <20220914021741.2672982-1-zhangxiaoxu5@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org The length of the message FSCTL_VALIDATE_NEGOTIATE_INFO is depends on the count of the dialects, the dialects count is depending on the smb version, so the dialects should be variable array. Signed-off-by: Zhang Xiaoxu --- fs/cifs/smb2pdu.c | 7 ++++--- fs/ksmbd/smb2pdu.c | 5 ++--- fs/smbfs_common/smb2pdu.h | 3 +-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 482ed480fbc6..70a3fce85e7c 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1107,7 +1107,10 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) cifs_tcon_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n"); - pneg_inbuf = kmalloc(sizeof(*pneg_inbuf), GFP_NOFS); + inbuflen = sizeof(*pneg_inbuf) + + sizeof(__le16) * server->vals->neg_dialect_cnt; + + pneg_inbuf = kmalloc(inbuflen, GFP_NOFS); if (!pneg_inbuf) return -ENOMEM; @@ -1131,8 +1134,6 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) pneg_inbuf->DialectCount = cpu_to_le16(server->vals->neg_dialect_cnt); memcpy(pneg_inbuf->Dialects, server->vals->neg_dialects, server->vals->neg_dialect_cnt * sizeof(__le16)); - inbuflen = offsetof(struct validate_negotiate_info_req, Dialects) + - sizeof(pneg_inbuf->Dialects[0]) * server->vals->neg_dialect_cnt; rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, FSCTL_VALIDATE_NEGOTIATE_INFO, diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 09ae601e64f9..aa86f31aa2cd 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7392,7 +7392,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, int ret = 0; int dialect; - if (in_buf_len < offsetof(struct validate_negotiate_info_req, Dialects) + + if (in_buf_len < sizeof(*neg_req) + le16_to_cpu(neg_req->DialectCount) * sizeof(__le16)) return -EINVAL; @@ -7640,8 +7640,7 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < offsetof(struct validate_negotiate_info_req, - Dialects)) { + if (in_buf_len < sizeof(struct validate_negotiate_info_req)) { ret = -EINVAL; goto out; } diff --git a/fs/smbfs_common/smb2pdu.h b/fs/smbfs_common/smb2pdu.h index 2cab413fffee..4780c72e9b3a 100644 --- a/fs/smbfs_common/smb2pdu.h +++ b/fs/smbfs_common/smb2pdu.h @@ -1388,13 +1388,12 @@ struct reparse_symlink_data_buffer { } __packed; /* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */ - struct validate_negotiate_info_req { __le32 Capabilities; __u8 Guid[SMB2_CLIENT_GUID_SIZE]; __le16 SecurityMode; __le16 DialectCount; - __le16 Dialects[4]; /* BB expand this if autonegotiate > 4 dialects */ + __le16 Dialects[]; } __packed; struct validate_negotiate_info_rsp {