From: Tom Talpey <tom@talpey.com>
To: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>,
linux-cifs@vger.kernel.org, sfrench@samba.org, pc@cjr.nz,
lsahlber@redhat.com, sprasad@microsoft.com,
rohiths@microsoft.com, smfrench@gmail.com, linkinjeon@kernel.org,
hyc.lee@gmail.com
Subject: Re: [PATCH v6 2/5] ksmbd: Fix wrong return value in smb2_ioctl()
Date: Thu, 15 Sep 2022 11:43:59 -0700 [thread overview]
Message-ID: <8f99206e-5972-3e9a-3c3b-bca19e6aa263@talpey.com> (raw)
In-Reply-To: <20220914021741.2672982-3-zhangxiaoxu5@huawei.com>
On 9/13/2022 7:17 PM, Zhang Xiaoxu wrote:
> When the {in, out}_buf_len is less than the required, should goto out
> to initialize the status in the response header.
>
> Fixes: f7db8fd03a4bc ("ksmbd: add validation in smb2_ioctl")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> Cc: <stable@vger.kernel.org>
> ---
> fs/ksmbd/smb2pdu.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
> index c49f65146ab3..b56d7688ccf1 100644
> --- a/fs/ksmbd/smb2pdu.c
> +++ b/fs/ksmbd/smb2pdu.c
> @@ -7640,11 +7640,15 @@ int smb2_ioctl(struct ksmbd_work *work)
> goto out;
> }
>
> - if (in_buf_len < sizeof(struct validate_negotiate_info_req))
> - return -EINVAL;
> + if (in_buf_len < sizeof(struct validate_negotiate_info_req)) {
> + ret = -EINVAL;
> + goto out;
> + }
In itself, this doesn't really fix the problem of requiring 4 dialects,
because it's still comparing to the incorrect Dialects[4] size. It's
only a fix once the 3/5 patch is applied.
So, I don't think it's appropriate for stable.
If you squash 2 and 3, then ok.
Tom.
> - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp))
> - return -EINVAL;
> + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) {
> + ret = -EINVAL;
> + goto out;
> + }
>
> ret = fsctl_validate_negotiate_info(conn,
> (struct validate_negotiate_info_req *)&req->Buffer[0],
next prev parent reply other threads:[~2022-09-15 18:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 2:17 [PATCH v6 0/5] Fix some bug in FSCTL_VALIDATE_NEGOTIATE_INFO handler Zhang Xiaoxu
2022-09-14 2:17 ` [PATCH v6 1/5] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Zhang Xiaoxu
2022-09-14 2:17 ` [PATCH v6 2/5] ksmbd: Fix wrong return value in smb2_ioctl() Zhang Xiaoxu
2022-09-15 18:43 ` Tom Talpey [this message]
2022-09-14 2:17 ` [PATCH v6 3/5] ksmbd: Fix FSCTL_VALIDATE_NEGOTIATE_INFO message length check " Zhang Xiaoxu
2022-09-15 18:45 ` Tom Talpey
2022-09-16 0:26 ` Namjae Jeon
2022-09-16 11:20 ` zhangxiaoxu (A)
2022-09-18 23:45 ` Namjae Jeon
2022-09-14 2:17 ` [PATCH v6 4/5] cifs: Add neg dialects info to smb version values Zhang Xiaoxu
2022-09-15 18:47 ` Tom Talpey
[not found] ` <CAH2r5ms+TnR4Y1LMWmNm5XdjV-4JSBq1+tsP6ERXq6NzwvWAig@mail.gmail.com>
2022-09-16 12:33 ` zhangxiaoxu (A)
2022-09-14 2:17 ` [PATCH v6 5/5] cifs: Refactor dialects in validate_negotiate_info_req to variable array Zhang Xiaoxu
2022-09-15 18:56 ` Tom Talpey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8f99206e-5972-3e9a-3c3b-bca19e6aa263@talpey.com \
--to=tom@talpey.com \
--cc=hyc.lee@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=pc@cjr.nz \
--cc=rohiths@microsoft.com \
--cc=sfrench@samba.org \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=zhangxiaoxu5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.