Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] CIFS: fix max ea value size
@ 2019-09-21 11:26 Murphy Zhou
  2019-09-21 18:23 ` Aurélien Aptel
  0 siblings, 1 reply; 5+ messages in thread
From: Murphy Zhou @ 2019-09-21 11:26 UTC (permalink / raw)
  To: linux-cifs

It should not be larger then the slab max buf size. If user
specifies a larger size, it passes this check and goes
straightly to SMB2_set_info_init performing an insecure memcpy.

Signed-off-by: Murphy Zhou <jencce.kernel@gmail.com>
---
 fs/cifs/xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
index 9076150758d8..db4ba8f6077e 100644
--- a/fs/cifs/xattr.c
+++ b/fs/cifs/xattr.c
@@ -31,7 +31,7 @@
 #include "cifs_fs_sb.h"
 #include "cifs_unicode.h"
 
-#define MAX_EA_VALUE_SIZE 65535
+#define MAX_EA_VALUE_SIZE CIFSMaxBufSize
 #define CIFS_XATTR_CIFS_ACL "system.cifs_acl"
 #define CIFS_XATTR_ATTRIB "cifs.dosattrib"  /* full name: user.cifs.dosattrib */
 #define CIFS_XATTR_CREATETIME "cifs.creationtime"  /* user.cifs.creationtime */
-- 
2.21.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] CIFS: fix max ea value size
  2019-09-21 11:26 [PATCH] CIFS: fix max ea value size Murphy Zhou
@ 2019-09-21 18:23 ` Aurélien Aptel
  2019-09-22  1:25   ` Murphy Zhou
  0 siblings, 1 reply; 5+ messages in thread
From: Aurélien Aptel @ 2019-09-21 18:23 UTC (permalink / raw)
  To: Murphy Zhou, linux-cifs

"Murphy Zhou" <jencce.kernel@gmail.com> writes:
> It should not be larger then the slab max buf size. If user
> specifies a larger size, it passes this check and goes
> straightly to SMB2_set_info_init performing an insecure memcpy.

It's even smaller than that as CIFSMaxBufSize is the max size for the
whole packet IIRC. The EA payload needs to fit into that. So it should
be CIFSMaxBufSize-(largest SMB2 header size + Set EA initial
header). And if we set multiple EA at the same time it has to be divided
by the number of EAs etc...

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] CIFS: fix max ea value size
  2019-09-21 18:23 ` Aurélien Aptel
@ 2019-09-22  1:25   ` Murphy Zhou
  2019-09-24  5:24     ` Steve French
  2019-09-24 21:16     ` Aurélien Aptel
  0 siblings, 2 replies; 5+ messages in thread
From: Murphy Zhou @ 2019-09-22  1:25 UTC (permalink / raw)
  To: Aurélien Aptel; +Cc: Murphy Zhou, linux-cifs

On Sat, Sep 21, 2019 at 08:23:32PM +0200, Aurélien Aptel wrote:
> "Murphy Zhou" <jencce.kernel@gmail.com> writes:
> > It should not be larger then the slab max buf size. If user
> > specifies a larger size, it passes this check and goes
> > straightly to SMB2_set_info_init performing an insecure memcpy.
> 
> It's even smaller than that as CIFSMaxBufSize is the max size for the
> whole packet IIRC. The EA payload needs to fit into that. So it should
> be CIFSMaxBufSize-(largest SMB2 header size + Set EA initial header).

No need. Slab size includes the bufzise and the header size.

> And if we set multiple EA at the same time it has to be divided
> by the number of EAs etc...

They will be handled separately and slab will work well.

> 
> Cheers,
> -- 
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
> GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] CIFS: fix max ea value size
  2019-09-22  1:25   ` Murphy Zhou
@ 2019-09-24  5:24     ` Steve French
  2019-09-24 21:16     ` Aurélien Aptel
  1 sibling, 0 replies; 5+ messages in thread
From: Steve French @ 2019-09-24  5:24 UTC (permalink / raw)
  To: Murphy Zhou; +Cc: Aurélien Aptel, CIFS

Your patch looks correct - added cc:stable and merged to cifs-2.6.git for-next

On Sun, Sep 22, 2019 at 2:23 PM Murphy Zhou <jencce.kernel@gmail.com> wrote:
>
> On Sat, Sep 21, 2019 at 08:23:32PM +0200, Aurélien Aptel wrote:
> > "Murphy Zhou" <jencce.kernel@gmail.com> writes:
> > > It should not be larger then the slab max buf size. If user
> > > specifies a larger size, it passes this check and goes
> > > straightly to SMB2_set_info_init performing an insecure memcpy.
> >
> > It's even smaller than that as CIFSMaxBufSize is the max size for the
> > whole packet IIRC. The EA payload needs to fit into that. So it should
> > be CIFSMaxBufSize-(largest SMB2 header size + Set EA initial header).
>
> No need. Slab size includes the bufzise and the header size.
>
> > And if we set multiple EA at the same time it has to be divided
> > by the number of EAs etc...
>
> They will be handled separately and slab will work well.
>
> >
> > Cheers,
> > --
> > Aurélien Aptel / SUSE Labs Samba Team
> > GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
> > GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] CIFS: fix max ea value size
  2019-09-22  1:25   ` Murphy Zhou
  2019-09-24  5:24     ` Steve French
@ 2019-09-24 21:16     ` Aurélien Aptel
  1 sibling, 0 replies; 5+ messages in thread
From: Aurélien Aptel @ 2019-09-24 21:16 UTC (permalink / raw)
  To: Murphy Zhou; +Cc: Murphy Zhou, linux-cifs

"Murphy Zhou" <jencce.kernel@gmail.com> writes:
> No need. Slab size includes the bufzise and the header size.
>
>> And if we set multiple EA at the same time it has to be divided
>> by the number of EAs etc...
>
> They will be handled separately and slab will work well.

Oh, you are right, I have no more remarks then.
We reviewed this with steve.

Thanks
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-21 11:26 [PATCH] CIFS: fix max ea value size Murphy Zhou
2019-09-21 18:23 ` Aurélien Aptel
2019-09-22  1:25   ` Murphy Zhou
2019-09-24  5:24     ` Steve French
2019-09-24 21:16     ` Aurélien Aptel

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git