From patchwork Sun Apr  8 21:16:47 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve French <smfrench@gmail.com>
X-Patchwork-Id: 896067
Return-Path: <linux-cifs-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=linux-cifs-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="UQSDUabn"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40K5qC1XVPz9s3L
	for <incoming@patchwork.ozlabs.org>;
	Mon,  9 Apr 2018 07:17:11 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752414AbeDHVRK (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sun, 8 Apr 2018 17:17:10 -0400
Received: from mail-pl0-f48.google.com ([209.85.160.48]:45359 "EHLO
	mail-pl0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752258AbeDHVRJ (ORCPT
	<rfc822; linux-cifs@vger.kernel.org>); Sun, 8 Apr 2018 17:17:09 -0400
Received: by mail-pl0-f48.google.com with SMTP id e22-v6so2138617plj.12
	for <linux-cifs@vger.kernel.org>;
	Sun, 08 Apr 2018 14:17:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:from:date:message-id:subject:to;
	bh=QwWQ9grLadIYv0k/lNlBMko4pU0giBu4yGtkmMyeuOw=;
	b=UQSDUabnQr0wplfQFHY0QjKVlY9+WmEl1T4sWhIxf3DOG9hGGvjia5DX+mSk05Qu3j
	3lql50xMUQA2xO5WBG3HJbqld9f8vn71P3mV/zRjiGzgTf+H5mM7KoiMcZdD9efgqtOV
	Q1mgG78hX9pXoFVeaQRjcO3Nzx3UOzpxevvvarBXbu74Uz9crzXhy3Sj4ZTdeMqS2/RW
	00jRQkFKJxsRJYV5P5YVgG+rhIFU8NSBJsyW03dlws2B//5r2vUYjNUH2SDnJUHnXKtA
	qsL6vfahpFzYGRLW5FKRBVLpieJIA8qc8FwetY+pv4z92PDgQHM3B7knQJXKimSTFkY2
	HZSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=QwWQ9grLadIYv0k/lNlBMko4pU0giBu4yGtkmMyeuOw=;
	b=cxVJn+U+y7dWUqOf1aLy1Nci6i0D2OvK5jPX6Ri+r+2ZDU1NqT84TI78ebrPFuj9Ix
	3WRuIv5NhcqRTZgH+qlCyQd6gLTp60SpwXfsTYuGotkMcESObvko5IUjsGhGTvyQIlMx
	p8Zn7aSulnfcjZrNWENHWWnBLuoUfvBE0Nl6NIUGFE8FXBlKQMmzpdbSAHJyjDGDykx6
	c7hnPVPW9HVduhSRueJ8Mxo6StqThySyB2xarWfRFFvpxmf71cmi/c8/NjQc2b3s5DOq
	2SG1hj3yLaGDCIIFCrMsDHoLR+AZo1s48yQB5H3RGGpGtyMkCgpn0dvlBlgR5ejLsyZ4
	xYhw==
X-Gm-Message-State: AElRT7EOGzdV9mRnhmYEuna9tY6g7kTqAsm4OhD3SUIy+sa84EvcDypo
	6bzPUfdTLjgJbruXZalCognhX5kLIUJFsvHNjH03r/2M
X-Google-Smtp-Source: 
 AIpwx4+lWtqRWbaIxpTb/SfaG5d3Ea1kpNrvHzWwVGv6xy3+tGBv+Rbi+eQbUg7UWiliA/cnDXoZpRJV2abdRm3XCkY=
X-Received: by 2002:a17:902:51ce:: with SMTP id
	y72-v6mr35519265plh.157.1523222228345;
	Sun, 08 Apr 2018 14:17:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.152.97 with HTTP; Sun, 8 Apr 2018 14:16:47 -0700 (PDT)
From: Steve French <smfrench@gmail.com>
Date: Sun, 8 Apr 2018 16:16:47 -0500
Message-ID: 
 <CAH2r5mtcKoNSxyPNGD4i=5mKLpf1Y9R7Sr6E_eXgXqKcgmCyRg@mail.gmail.com>
Subject: [PATCH][SMB3] Removing confusing error message by fixing buffer
	length checking in SMB3.11 negprot
To: CIFS <linux-cifs@vger.kernel.org>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org

SMB3: Fix length checking of SMB3.11 negotiate request

The length checking for SMB3.11 negotiate request includes
"negotiate contexts" which caused a buffer validation problem
and a confusing warning message on SMB3.11 mount e.g.:

     SMB2 server sent bad RFC1001 len 236 not 170

Fix the length checking for SMB3.11 negotiate to account for
the new negotiate context so that we don't log a warning on
SMB3.11 mount.

See attached
Reviewed-by: Aurelien Aptel <aaptel@suse.com>

From d2b1e074a47c206a058b0e648050d986285435d7 Mon Sep 17 00:00:00 2001
From: Steve French <smfrench@gmail.com>
Date: Sun, 8 Apr 2018 16:14:31 -0500
Subject: [PATCH] SMB3: Fix length checking of SMB3.11 negotiate request

The length checking for SMB3.11 negotiate request includes
"negotiate contexts" which caused a buffer validation problem
and a confusing warning message on SMB3.11 mount e.g.:

     SMB2 server sent bad RFC1001 len 236 not 170

Fix the length checking for SMB3.11 negotiate to account for
the new negotiate context so that we don't log a warning on
SMB3.11 mount.

CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <smfrench@gmail.com>
---
 fs/cifs/smb2misc.c | 39 +++++++++++++++++++++++++++++++++++++++
 fs/cifs/smb2pdu.h  |  7 +++++++
 2 files changed, 46 insertions(+)

diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index 5406e95f5d92..9df9f0b48160 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -93,6 +93,41 @@ static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = {
 	/* SMB2_OPLOCK_BREAK */ cpu_to_le16(24)
 };
 
+#ifdef CONFIG_CIFS_SMB311
+static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, __u32 non_ctxlen)
+{
+	__u16 neg_count;
+	__u32 nc_offset, size_of_pad_before_neg_ctxts;
+	struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr;
+
+	/* Negotiate contexts are only valid for latest dialect SMB3.11 */
+	neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount);
+	if ((neg_count == 0) ||
+	   (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID)))
+		return 0;
+
+	/* Make sure that negotiate contexts start after gss security blob */
+	nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset);
+	if (nc_offset < non_ctxlen - 4 /* RFC1001 len field */) {
+		printk_once(KERN_WARNING "invalid negotiate context offset\n");
+		return 0;
+	}
+	size_of_pad_before_neg_ctxts = nc_offset - (non_ctxlen - 4);
+
+	/* Verify that at least minimal negotiate contexts fit within frame */
+	if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) {
+		printk_once(KERN_WARNING "negotiate context goes beyond end\n");
+		return 0;
+	}
+
+	cifs_dbg(FYI, "length of negcontexts %d pad %d\n",
+		len - nc_offset, size_of_pad_before_neg_ctxts);
+
+	/* length of negcontexts including pad from end of sec blob to them */
+	return (len - nc_offset) + size_of_pad_before_neg_ctxts;
+}
+#endif /* CIFS_SMB311 */
+
 int
 smb2_check_message(char *buf, unsigned int length, struct TCP_Server_Info *srvr)
 {
@@ -198,6 +233,10 @@ smb2_check_message(char *buf, unsigned int length, struct TCP_Server_Info *srvr)
 
 	clc_len = smb2_calc_size(hdr);
 
+#ifdef CONFIG_CIFS_SMB311
+	if (shdr->Command == SMB2_NEGOTIATE)
+		clc_len += get_neg_ctxt_len(hdr, len, clc_len);
+#endif /* SMB311 */
 	if (srvr->vals->header_preamble_size + len != clc_len) {
 		cifs_dbg(FYI, "Calculated size %u length %zu mismatch mid %llu\n",
 			 clc_len, srvr->vals->header_preamble_size + len, mid);
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index 253e2c7c952f..0e0a0af89e4d 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -263,6 +263,13 @@ struct smb2_negotiate_req {
 #define SMB2_NT_FIND			0x00100000
 #define SMB2_LARGE_FILES		0x00200000
 
+struct smb2_neg_context {
+	__le16	ContextType;
+	__le16	DataLength;
+	__le32	Reserved;
+	/* Followed by array of data */
+} __packed;
+
 #define SMB311_SALT_SIZE			32
 /* Hash Algorithm Types */
 #define SMB2_PREAUTH_INTEGRITY_SHA512	cpu_to_le16(0x0001)
-- 
2.14.1