linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ralph Boehme <slow@samba.org>
To: Namjae Jeon <linkinjeon@kernel.org>, linux-cifs@vger.kernel.org
Cc: Hyunchul Lee <hyc.lee@gmail.com>,
	Ronnie Sahlberg <ronniesahlberg@gmail.com>,
	Steve French <smfrench@gmail.com>
Subject: Re: [PATCH v2 4/4] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT
Date: Tue, 21 Sep 2021 10:32:15 +0200	[thread overview]
Message-ID: <3ab97b10-d94c-6cb2-0134-a4f3878a5ee2@samba.org> (raw)
In-Reply-To: <20210919021315.642856-5-linkinjeon@kernel.org>


[-- Attachment #1.1: Type: text/plain, Size: 3350 bytes --]

Hi Namjae,

thanks! One nitpick below.

Am 19.09.21 um 04:13 schrieb Namjae Jeon:
> From: Hyunchul Lee <hyc.lee@gmail.com>
> 
> Add buffer validation for SMB2_CREATE_CONTEXT.
> 
> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
> Cc: Ralph Böhme <slow@samba.org>
> Cc: Steve French <smfrench@gmail.com>
> Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
> ---
>   fs/ksmbd/oplock.c  | 35 +++++++++++++++++++++++++----------
>   fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++-
>   fs/ksmbd/smbacl.c  |  9 ++++++++-
>   3 files changed, 57 insertions(+), 12 deletions(-)
> 
> diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c
> index 16b6236d1bd2..3fd2713f2282 100644
> --- a/fs/ksmbd/oplock.c
> +++ b/fs/ksmbd/oplock.c
> @@ -1451,26 +1451,41 @@ struct lease_ctx_info *parse_lease_state(void *open_req)
>    */
>   struct create_context *smb2_find_context_vals(void *open_req, const char *tag)
>   {
> -	char *data_offset;
> +	struct smb2_create_req *req = (struct smb2_create_req *)open_req;
>   	struct create_context *cc;
> -	unsigned int next = 0;
> +	char *data_offset, *data_end;
>   	char *name;
> -	struct smb2_create_req *req = (struct smb2_create_req *)open_req;
> +	unsigned int next = 0;
> +	unsigned int name_off, name_len, value_off, value_len;
>   
>   	data_offset = (char *)req + 4 + le32_to_cpu(req->CreateContextsOffset);
> +	data_end = data_offset + le32_to_cpu(req->CreateContextsLength);
>   	cc = (struct create_context *)data_offset;
>   	do {
> -		int val;
> -
>   		cc = (struct create_context *)((char *)cc + next);
> -		name = le16_to_cpu(cc->NameOffset) + (char *)cc;
> -		val = le16_to_cpu(cc->NameLength);
> -		if (val < 4)
> +		if ((char *)cc + offsetof(struct create_context, Buffer) >
> +		    data_end)
>   			return ERR_PTR(-EINVAL);
>   
> -		if (memcmp(name, tag, val) == 0)
> -			return cc;
>   		next = le32_to_cpu(cc->Next);
> +		name_off = le16_to_cpu(cc->NameOffset);
> +		name_len = le16_to_cpu(cc->NameLength);
> +		value_off = le16_to_cpu(cc->DataOffset);
> +		value_len = le32_to_cpu(cc->DataLength);
> +
> +		if ((char *)cc + name_off + name_len > data_end ||
> +		    (value_len && (char *)cc + value_off + value_len > data_end))
> +			return ERR_PTR(-EINVAL);
> +		else if (next && (next < name_off + name_len ||
> +			 (value_len && next < value_off + value_len)))
> +			return ERR_PTR(-EINVAL);

The else is a bit confusing and not needed. Also, Samba has a few 
additional checks, I wonder whether we should add those two:

                 if ((next & 0x7) != 0 ||
                     next > remaining ||
                     name_offset != 16 ||
                     name_length < 4 ||
                     name_offset + name_length > remaining ||
                     (data_offset & 0x7) != 0 ||
                     (data_offset && (data_offset < name_offset + 
name_length)) ||
                     (data_offset > remaining) ||
                     (data_offset + (uint64_t)data_length > remaining)) {
                         return NT_STATUS_INVALID_PARAMETER;
                 }

Other then that lgtm.

Thanks!
-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

  reply	other threads:[~2021-09-21  8:32 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-19  2:13 [PATCH v2 1/4] ksmbd: add request buffer validation in smb2_set_info Namjae Jeon
2021-09-19  2:13 ` [PATCH] ksmbd: use LOOKUP_NO_SYMLINKS flags for default lookup Namjae Jeon
2021-09-19  2:13 ` [PATCH v2 2/4] ksmbd: add validation in smb2_ioctl Namjae Jeon
2021-09-21  8:08   ` Ralph Boehme
2021-09-21 11:15     ` Namjae Jeon
2021-09-19  2:13 ` [PATCH v2 3/4] ksmbd: add validation for FILE_FULL_EA_INFORMATION of smb2_get_info Namjae Jeon
2021-09-21  8:09   ` Ralph Boehme
2021-09-19  2:13 ` [PATCH v2 4/4] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Namjae Jeon
2021-09-21  8:32   ` Ralph Boehme [this message]
2021-09-22  0:26     ` Namjae Jeon
2021-09-20 14:45 ` [PATCH v2 1/4] ksmbd: add request buffer validation in smb2_set_info Ralph Boehme
2021-09-20 15:03   ` Ralph Boehme
2021-09-20 15:10     ` Steve French
2021-09-20 16:11       ` Ralph Boehme
2021-09-20 16:20         ` Steve French
2021-09-20 16:30           ` Ralph Boehme
2021-09-20 15:38 ` Ralph Boehme
2021-09-20 16:18   ` Namjae Jeon
2021-09-21 14:23 ` Tom Talpey
2021-09-22  2:31   ` Namjae Jeon
2021-09-22  3:40     ` Namjae Jeon
2021-09-22 18:39       ` Tom Talpey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ab97b10-d94c-6cb2-0134-a4f3878a5ee2@samba.org \
    --to=slow@samba.org \
    --cc=hyc.lee@gmail.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-cifs@vger.kernel.org \
    --cc=ronniesahlberg@gmail.com \
    --cc=smfrench@gmail.com \
    --subject='Re: [PATCH v2 4/4] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).