hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ksmbd: fix invalid request buffer access in compound 

Ronnie reported invalid request buffer access in chained command when
inserting garbage value to NextCommand of compound request.
This patch add validation check to avoid this issue.

Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Tested-by: Steve French <smfrench@gmail.com>
Reviewed-by: Steve French <smfrench@gmail.com>
Acked-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
Namjae Jeon 2021-09-24 09:24:08 +09:00 committed by Steve French
parent 18d46769d5
commit d72a9c1588
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
fs/ksmbd/smb2pdu.c
View File

@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
bool is_chained_smb2_message(struct ksmbd_work *work) bool is_chained_smb2_message(struct ksmbd_work *work)
{ {
struct smb2_hdr *hdr = work->request_buf; struct smb2_hdr *hdr = work->request_buf;
unsigned int len; unsigned int len, next_cmd;
if (hdr->ProtocolId != SMB2_PROTO_NUMBER) if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
return false; return false;
hdr = ksmbd_req_buf_next(work); hdr = ksmbd_req_buf_next(work);
if (le32_to_cpu(hdr->NextCommand) > 0) { next_cmd = le32_to_cpu(hdr->NextCommand);
if (next_cmd > 0) {
if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +
__SMB2_HEADER_STRUCTURE_SIZE >
get_rfc1002_len(work->request_buf)) {
pr_err("next command(%u) offset exceeds smb msg size\n",
next_cmd);
return false;
}
ksmbd_debug(SMB, "got SMB2 chained command\n"); ksmbd_debug(SMB, "got SMB2 chained command\n");
init_chained_smb2_rsp(work); init_chained_smb2_rsp(work);
return true; return true;