From: Namjae Jeon <linkinjeon@kernel.org>
To: linux-cifs@vger.kernel.org
Cc: "Namjae Jeon" <linkinjeon@kernel.org>,
"Tom Talpey" <tom@talpey.com>,
"Ronnie Sahlberg" <ronniesahlberg@gmail.com>,
"Ralph Böhme" <slow@samba.org>,
"Steve French" <smfrench@gmail.com>,
"Ronnie Sahlberg" <lsahlber@redhat.com>
Subject: [PATCH v4] ksmbd: fix invalid request buffer access in compound
Date: Thu, 23 Sep 2021 12:48:54 +0900 [thread overview]
Message-ID: <20210923034855.612832-2-linkinjeon@kernel.org> (raw)
In-Reply-To: <20210923034855.612832-1-linkinjeon@kernel.org>
Ronnie reported invalid request buffer access in chained command when
inserting garbage value to NextCommand of compound request.
This patch add validation check to avoid this issue.
Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Cc: Steve French <smfrench@gmail.com>
Reported-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
v2:
- fix integer overflow from work->next_smb2_rcv_hdr_off.
v3:
- check next command offset and at least header size of next pdu at
the same time.
v4:
- add next_cmd variable not to avoid repeat conversion.
fs/ksmbd/smb2pdu.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 90f867b9d560..301558a04298 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -459,13 +459,21 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
bool is_chained_smb2_message(struct ksmbd_work *work)
{
struct smb2_hdr *hdr = work->request_buf;
- unsigned int len;
+ unsigned int len, next_cmd;
if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
return false;
hdr = ksmbd_req_buf_next(work);
- if (le32_to_cpu(hdr->NextCommand) > 0) {
+ next_cmd = le32_to_cpu(hdr->NextCommand);
+ if (next_cmd > 0) {
+ if ((u64)work->next_smb2_rcv_hdr_off + next_cmd + 64 >
+ get_rfc1002_len(work->request_buf)) {
+ pr_err("next command(%u) offset exceeds smb msg size\n",
+ next_cmd);
+ return false;
+ }
+
ksmbd_debug(SMB, "got SMB2 chained command\n");
init_chained_smb2_rsp(work);
return true;
--
2.25.1
next prev parent reply other threads:[~2021-09-23 3:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 3:48 [PATCH] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Namjae Jeon
2021-09-23 3:48 ` Namjae Jeon [this message]
2021-09-23 15:13 ` [PATCH v4] ksmbd: fix invalid request buffer access in compound Tom Talpey
2021-09-23 19:30 ` Namjae Jeon
2021-09-23 3:48 ` [PATCH v3] ksmbd: add validation in smb2 negotiate Namjae Jeon
2021-09-23 15:54 ` Tom Talpey
2021-09-23 20:14 ` Namjae Jeon
2021-09-23 15:05 ` [PATCH] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Tom Talpey
2021-09-23 19:24 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210923034855.612832-2-linkinjeon@kernel.org \
--to=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=ronniesahlberg@gmail.com \
--cc=slow@samba.org \
--cc=smfrench@gmail.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.