diff options
author | Namjae Jeon <[email protected]> | 2021-09-24 09:24:08 +0900 |
---|---|---|
committer | Steve French <[email protected]> | 2021-09-26 16:47:14 -0500 |
commit | d72a9c158893d537d769a669a5837bc80b0f851c (patch) | |
tree | d98701863d3afdc4359fe015ac1a89d0fd081cf3 | |
parent | 18d46769d54aba03c2c3fa666fe810f264b5d7b8 (diff) |
ksmbd: fix invalid request buffer access in compound
Ronnie reported invalid request buffer access in chained command when
inserting garbage value to NextCommand of compound request.
This patch add validation check to avoid this issue.
Cc: Tom Talpey <[email protected]>
Cc: Ronnie Sahlberg <[email protected]>
Cc: Ralph Böhme <[email protected]>
Tested-by: Steve French <[email protected]>
Reviewed-by: Steve French <[email protected]>
Acked-by: Hyunchul Lee <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>
-rw-r--r-- | fs/ksmbd/smb2pdu.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 761e12171dc4..cea376b2dd8f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) bool is_chained_smb2_message(struct ksmbd_work *work) { struct smb2_hdr *hdr = work->request_buf; - unsigned int len; + unsigned int len, next_cmd; if (hdr->ProtocolId != SMB2_PROTO_NUMBER) return false; hdr = ksmbd_req_buf_next(work); - if (le32_to_cpu(hdr->NextCommand) > 0) { + next_cmd = le32_to_cpu(hdr->NextCommand); + if (next_cmd > 0) { + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd + + __SMB2_HEADER_STRUCTURE_SIZE > + get_rfc1002_len(work->request_buf)) { + pr_err("next command(%u) offset exceeds smb msg size\n", + next_cmd); + return false; + } + ksmbd_debug(SMB, "got SMB2 chained command\n"); init_chained_smb2_rsp(work); return true; |