From: Namjae Jeon <linkinjeon@kernel.org>
To: Ralph Boehme <slow@samba.org>
Cc: Hyunchul Lee <hyc.lee@gmail.com>,
linux-cifs <linux-cifs@vger.kernel.org>,
Tom Talpey <tom@talpey.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>,
Steve French <smfrench@gmail.com>
Subject: Re: [PATCH v5 16/20] ksmbd: check PDU len is at least header plus body size in ksmbd_smb2_check_message()
Date: Sun, 3 Oct 2021 10:25:57 +0900 [thread overview]
Message-ID: <CAKYAXd-1URTC0gMvEF61M+gHwkZ2rZ7TH0GGX-zbdJrTO7m77g@mail.gmail.com> (raw)
In-Reply-To: <965d1971-239c-0cfc-9abb-5b20c9b698e9@samba.org>
2021-10-02 21:49 GMT+09:00, Ralph Boehme <slow@samba.org>:
> Am 02.10.21 um 14:45 schrieb Hyunchul Lee:
>> Hi Ralph,
>>
>> 2021년 10월 1일 (금) 오후 9:25, Ralph Boehme <slow@samba.org>님이 작성:
>>>
>>> Note: we already have the same check in is_chained_smb2_message(), but
>>> there it
>>> only applies to compound requests, so we have to repeat the check here to
>>> cover
>>> both cases.
>>>
>>> Cc: Namjae Jeon <linkinjeon@kernel.org>
>>> Cc: Tom Talpey <tom@talpey.com>
>>> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
>>> Cc: Steve French <smfrench@gmail.com>
>>> Cc: Hyunchul Lee <hyc.lee@gmail.com>
>>> Signed-off-by: Ralph Boehme <slow@samba.org>
>>> ---
>>> fs/ksmbd/smb2misc.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
>>> index 7ed266eb6c5e..541b39b7a84b 100644
>>> --- a/fs/ksmbd/smb2misc.c
>>> +++ b/fs/ksmbd/smb2misc.c
>>> @@ -338,6 +338,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work
>>> *work)
>>> if (check_smb2_hdr(hdr))
>>> return 1;
>>>
>>> + if (len < sizeof(struct smb2_pdu) - 4)
>>> + return 1;
>>> +
>>
>> Do we need this check before accessing any fields of smb2_hdr in
>> ksmbd_verify_smb_message()?
>
> well, my idea was to have the core PDU size checking logic in
> ksmbd_smb2_check_message() and ksmbd_verify_smb_message() merely
> switches between SMB1/SMB2.
Hyunchul pointed out that this header buffer check should be moved to
the above check_smb2_hdr(). I think that it should be move to the
above ksmbd_smb2_cur_pdu_buflen().
>
> -slow
>
> --
> Ralph Boehme, Samba Team https://samba.org/
> SerNet Samba Team Lead https://sernet.de/en/team-samba
>
next prev parent reply other threads:[~2021-10-03 1:26 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-01 12:04 [PATCH v5 00/20] Buffer validation patches Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 01/20] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 02/20] ksmbd: add validation in smb2_ioctl Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 03/20] ksmbd: use correct basic info level in set_file_basic_info() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 04/20] ksmbd: add request buffer validation in smb2_set_info Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 05/20] ksmbd: check strictly data area in ksmbd_smb2_check_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 06/20] ksmbd: add validation in smb2 negotiate Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 07/20] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 08/20] ksmbd: remove the leftover of smb2.0 dialect support Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 09/20] ksmbd: remove NTLMv1 authentication Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 10/20] ksmbd: fix transform header validation Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 11/20] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 12/20] ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 13/20] ksmbd: remove ksmbd_verify_smb_message() Ralph Boehme
2021-10-02 5:46 ` Namjae Jeon
2021-10-02 12:05 ` Ralph Boehme
2021-10-03 23:37 ` Jeremy Allison
2021-10-04 0:47 ` Namjae Jeon
2021-10-01 12:04 ` [PATCH v5 14/20] ksmbd: add ksmbd_smb2_cur_pdu_buflen() Ralph Boehme
2021-10-02 5:49 ` Namjae Jeon
2021-10-02 11:55 ` Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 15/20] ksmbd: use ksmbd_smb2_cur_pdu_buflen() in ksmbd_smb2_check_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 16/20] ksmbd: check PDU len is at least header plus body size " Ralph Boehme
2021-10-02 5:55 ` Namjae Jeon
2021-10-02 11:54 ` Ralph Boehme
2021-10-02 12:45 ` Hyunchul Lee
2021-10-02 12:49 ` Ralph Boehme
2021-10-03 1:25 ` Namjae Jeon [this message]
2021-10-01 12:04 ` [PATCH v5 17/20] ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 18/20] ksmdb: make smb2_get_ksmbd_tcon() callable with chained PDUs Ralph Boehme
2021-10-02 6:00 ` Namjae Jeon
2021-10-02 12:08 ` Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 19/20] ksmbd: make smb2_check_user_session() callabe for compound PDUs Ralph Boehme
2021-10-02 6:01 ` Namjae Jeon
2021-10-02 12:08 ` Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 20/20] ksmdb: move session and tcon validation to ksmbd_smb2_check_message() Ralph Boehme
2021-10-02 6:05 ` [PATCH v5 00/20] Buffer validation patches Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKYAXd-1URTC0gMvEF61M+gHwkZ2rZ7TH0GGX-zbdJrTO7m77g@mail.gmail.com \
--to=linkinjeon@kernel.org \
--cc=hyc.lee@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=ronniesahlberg@gmail.com \
--cc=slow@samba.org \
--cc=smfrench@gmail.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.