Am 02.10.21 um 07:55 schrieb Namjae Jeon:
> 2021-10-01 21:04 GMT+09:00, Ralph Boehme <slow@samba.org>:
>> Note: we already have the same check in is_chained_smb2_message(), but there
>> it
>> only applies to compound requests, so we have to repeat the check here to
>> cover
>> both cases.
>>
>> Cc: Namjae Jeon <linkinjeon@kernel.org>
>> Cc: Tom Talpey <tom@talpey.com>
>> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
>> Cc: Steve French <smfrench@gmail.com>
>> Cc: Hyunchul Lee <hyc.lee@gmail.com>
>> Signed-off-by: Ralph Boehme <slow@samba.org>
>> ---
>>   fs/ksmbd/smb2misc.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
>> index 7ed266eb6c5e..541b39b7a84b 100644
>> --- a/fs/ksmbd/smb2misc.c
>> +++ b/fs/ksmbd/smb2misc.c
>> @@ -338,6 +338,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
>>   	if (check_smb2_hdr(hdr))
>>   		return 1;
>>
>> +	if (len < sizeof(struct smb2_pdu) - 4)
>> +		return 1;
> when only this patch is applied, how can you guarantee that session id
> and tree id of smb2 header are vaild ?

what do you mean? This just checks the actual packet lenght is large 
enough to access the header and the body lenght field.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba