| Message ID | 20220926033631.926637-3-zhangxiaoxu5@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix some bug in FSCTL_VALIDATE_NEGOTIATE_INFO handler | expand |
2022-09-26 12:36 GMT+09:00, Zhang Xiaoxu <zhangxiaoxu5@huawei.com>: > Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock > break, and move its struct to smbfs_common") use the defination > of 'struct validate_negotiate_info_req' in smbfs_common, the > array length of 'Dialects' changed from 1 to 4, but the protocol > does not require the client to send all 4. This lead the request > which satisfied with protocol and server to fail. > > So just ensure the request payload has the 'DialectCount' in > smb2_ioctl(), then fsctl_validate_negotiate_info() will use it > to validate the payload length and each dialect. > > Also when the {in, out}_buf_len is less than the required, should > goto out to initialize the status in the response header. > > Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") > Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Thanks!
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 15c487aa19ad..22dc2facac8a 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7638,11 +7638,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) - return -EINVAL; + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { + ret = -EINVAL; + goto out; + } - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) - return -EINVAL; + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { + ret = -EINVAL; + goto out; + } ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0],
Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") use the defination of 'struct validate_negotiate_info_req' in smbfs_common, the array length of 'Dialects' changed from 1 to 4, but the protocol does not require the client to send all 4. This lead the request which satisfied with protocol and server to fail. So just ensure the request payload has the 'DialectCount' in smb2_ioctl(), then fsctl_validate_negotiate_info() will use it to validate the payload length and each dialect. Also when the {in, out}_buf_len is less than the required, should goto out to initialize the status in the response header. Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> --- fs/ksmbd/smb2pdu.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)