From: Namjae Jeon <linkinjeon@kernel.org>
To: Ralph Boehme <slow@samba.org>
Cc: linux-cifs@vger.kernel.org, Hyunchul Lee <hyc.lee@gmail.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>,
Steve French <smfrench@gmail.com>
Subject: Re: [PATCH v2 4/4] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT
Date: Wed, 22 Sep 2021 09:26:23 +0900 [thread overview]
Message-ID: <CAKYAXd_8GVoxxkSNhzjQ5YLAWVguG5Vaz5_yi_4Jgc3PLToVYg@mail.gmail.com> (raw)
In-Reply-To: <3ab97b10-d94c-6cb2-0134-a4f3878a5ee2@samba.org>
2021-09-21 17:32 GMT+09:00, Ralph Boehme <slow@samba.org>:
> Hi Namjae,
>
> thanks! One nitpick below.
>
> Am 19.09.21 um 04:13 schrieb Namjae Jeon:
>> From: Hyunchul Lee <hyc.lee@gmail.com>
>>
>> Add buffer validation for SMB2_CREATE_CONTEXT.
>>
>> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
>> Cc: Ralph Böhme <slow@samba.org>
>> Cc: Steve French <smfrench@gmail.com>
>> Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
>> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
>> ---
>> fs/ksmbd/oplock.c | 35 +++++++++++++++++++++++++----------
>> fs/ksmbd/smb2pdu.c | 25 ++++++++++++++++++++++++-
>> fs/ksmbd/smbacl.c | 9 ++++++++-
>> 3 files changed, 57 insertions(+), 12 deletions(-)
>>
>> diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c
>> index 16b6236d1bd2..3fd2713f2282 100644
>> --- a/fs/ksmbd/oplock.c
>> +++ b/fs/ksmbd/oplock.c
>> @@ -1451,26 +1451,41 @@ struct lease_ctx_info *parse_lease_state(void
>> *open_req)
>> */
>> struct create_context *smb2_find_context_vals(void *open_req, const char
>> *tag)
>> {
>> - char *data_offset;
>> + struct smb2_create_req *req = (struct smb2_create_req *)open_req;
>> struct create_context *cc;
>> - unsigned int next = 0;
>> + char *data_offset, *data_end;
>> char *name;
>> - struct smb2_create_req *req = (struct smb2_create_req *)open_req;
>> + unsigned int next = 0;
>> + unsigned int name_off, name_len, value_off, value_len;
>>
>> data_offset = (char *)req + 4 +
>> le32_to_cpu(req->CreateContextsOffset);
>> + data_end = data_offset + le32_to_cpu(req->CreateContextsLength);
>> cc = (struct create_context *)data_offset;
>> do {
>> - int val;
>> -
>> cc = (struct create_context *)((char *)cc + next);
>> - name = le16_to_cpu(cc->NameOffset) + (char *)cc;
>> - val = le16_to_cpu(cc->NameLength);
>> - if (val < 4)
>> + if ((char *)cc + offsetof(struct create_context, Buffer) >
>> + data_end)
>> return ERR_PTR(-EINVAL);
>>
>> - if (memcmp(name, tag, val) == 0)
>> - return cc;
>> next = le32_to_cpu(cc->Next);
>> + name_off = le16_to_cpu(cc->NameOffset);
>> + name_len = le16_to_cpu(cc->NameLength);
>> + value_off = le16_to_cpu(cc->DataOffset);
>> + value_len = le32_to_cpu(cc->DataLength);
>> +
>> + if ((char *)cc + name_off + name_len > data_end ||
>> + (value_len && (char *)cc + value_off + value_len > data_end))
>> + return ERR_PTR(-EINVAL);
>> + else if (next && (next < name_off + name_len ||
>> + (value_len && next < value_off + value_len)))
>> + return ERR_PTR(-EINVAL);
>
> The else is a bit confusing and not needed. Also, Samba has a few
> additional checks, I wonder whether we should add those two:
>
> if ((next & 0x7) != 0 ||
> next > remaining ||
> name_offset != 16 ||
> name_length < 4 ||
> name_offset + name_length > remaining ||
> (data_offset & 0x7) != 0 ||
> (data_offset && (data_offset < name_offset +
> name_length)) ||
> (data_offset > remaining) ||
> (data_offset + (uint64_t)data_length > remaining)) {
> return NT_STATUS_INVALID_PARAMETER;
> }
I will fix it on v2.
Thank your review!
>
> Other then that lgtm.
>
> Thanks!
> -slow
>
> --
> Ralph Boehme, Samba Team https://samba.org/
> SerNet Samba Team Lead https://sernet.de/en/team-samba
>
>
next prev parent reply other threads:[~2021-09-22 0:26 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-19 2:13 [PATCH v2 1/4] ksmbd: add request buffer validation in smb2_set_info Namjae Jeon
2021-09-19 2:13 ` [PATCH] ksmbd: use LOOKUP_NO_SYMLINKS flags for default lookup Namjae Jeon
2021-09-19 2:13 ` [PATCH v2 2/4] ksmbd: add validation in smb2_ioctl Namjae Jeon
2021-09-21 8:08 ` Ralph Boehme
2021-09-21 11:15 ` Namjae Jeon
2021-09-19 2:13 ` [PATCH v2 3/4] ksmbd: add validation for FILE_FULL_EA_INFORMATION of smb2_get_info Namjae Jeon
2021-09-21 8:09 ` Ralph Boehme
2021-09-19 2:13 ` [PATCH v2 4/4] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Namjae Jeon
2021-09-21 8:32 ` Ralph Boehme
2021-09-22 0:26 ` Namjae Jeon [this message]
2021-09-20 14:45 ` [PATCH v2 1/4] ksmbd: add request buffer validation in smb2_set_info Ralph Boehme
2021-09-20 15:03 ` Ralph Boehme
2021-09-20 15:10 ` Steve French
2021-09-20 16:11 ` Ralph Boehme
2021-09-20 16:20 ` Steve French
2021-09-20 16:30 ` Ralph Boehme
2021-09-20 15:38 ` Ralph Boehme
2021-09-20 16:18 ` Namjae Jeon
2021-09-21 14:23 ` Tom Talpey
2021-09-22 2:31 ` Namjae Jeon
2021-09-22 3:40 ` Namjae Jeon
2021-09-22 18:39 ` Tom Talpey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKYAXd_8GVoxxkSNhzjQ5YLAWVguG5Vaz5_yi_4Jgc3PLToVYg@mail.gmail.com \
--to=linkinjeon@kernel.org \
--cc=hyc.lee@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=ronniesahlberg@gmail.com \
--cc=slow@samba.org \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).