Commit d72a9c15 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French

ksmbd: fix invalid request buffer access in compound

Ronnie reported invalid request buffer access in chained command when
inserting garbage value to NextCommand of compound request.
This patch add validation check to avoid this issue.

Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Tested-by: default avatarSteve French <smfrench@gmail.com>
Reviewed-by: default avatarSteve French <smfrench@gmail.com>
Acked-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 18d46769
...@@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) ...@@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
bool is_chained_smb2_message(struct ksmbd_work *work) bool is_chained_smb2_message(struct ksmbd_work *work)
{ {
struct smb2_hdr *hdr = work->request_buf; struct smb2_hdr *hdr = work->request_buf;
unsigned int len; unsigned int len, next_cmd;
if (hdr->ProtocolId != SMB2_PROTO_NUMBER) if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
return false; return false;
hdr = ksmbd_req_buf_next(work); hdr = ksmbd_req_buf_next(work);
if (le32_to_cpu(hdr->NextCommand) > 0) { next_cmd = le32_to_cpu(hdr->NextCommand);
if (next_cmd > 0) {
if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +
__SMB2_HEADER_STRUCTURE_SIZE >
get_rfc1002_len(work->request_buf)) {
pr_err("next command(%u) offset exceeds smb msg size\n",
next_cmd);
return false;
}
ksmbd_debug(SMB, "got SMB2 chained command\n"); ksmbd_debug(SMB, "got SMB2 chained command\n");
init_chained_smb2_rsp(work); init_chained_smb2_rsp(work);
return true; return true;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment