tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ksmbd: Fix to handle removal of rfc1002 header from smb_hdr

The commit that removed the RFC1002 header from struct smb_hdr didn't also
fix the places in ksmbd that use it in order to provide graceful rejection
of SMB1 protocol requests.

Fixes: 83bfbd0bb902 ("cifs: Remove the RFC1002 header from smb_hdr")
Reported-by: Namjae Jeon <linkinjeon@kernel.org>
Link: https://lore.kernel.org/r/CAKYAXd9Ju4MFkkH5Jxfi1mO0AWEr=R35M3vQ_Xa7Yw34JoNZ0A@mail.gmail.com/
Cc: ChenXiaoSong <chenxiaosong.chenxiaosong@linux.dev>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

David Howells and committed by
Steve French 0a70cac7 9448598b

+11 -11
+1 -1
fs/smb/server/server.c
··· 95 95 96 96 if (ksmbd_conn_exiting(work->conn) || 97 97 ksmbd_conn_need_reconnect(work->conn)) { 98 - rsp_hdr = work->response_buf; 98 + rsp_hdr = smb2_get_msg(work->response_buf); 99 99 rsp_hdr->Status.CifsError = STATUS_CONNECTION_DISCONNECTED; 100 100 return 1; 101 101 }
+10 -10
fs/smb/server/smb_common.c
··· 140 140 if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) 141 141 return ksmbd_smb2_check_message(work); 142 142 143 - hdr = work->request_buf; 143 + hdr = smb2_get_msg(work->request_buf); 144 144 if (*(__le32 *)hdr->Protocol == SMB1_PROTO_NUMBER && 145 145 hdr->Command == SMB_COM_NEGOTIATE) { 146 146 work->conn->outstanding_credits++; ··· 278 278 req->DialectCount); 279 279 } 280 280 281 - proto = *(__le32 *)((struct smb_hdr *)buf)->Protocol; 282 281 if (proto == SMB1_PROTO_NUMBER) { 283 282 struct smb_negotiate_req *req; 284 283 285 - req = (struct smb_negotiate_req *)buf; 284 + req = (struct smb_negotiate_req *)smb2_get_msg(buf); 286 285 if (le16_to_cpu(req->ByteCount) < 2) 287 286 goto err_out; 288 287 289 - if (offsetof(struct smb_negotiate_req, DialectsArray) - 4 + 288 + if (offsetof(struct smb_negotiate_req, DialectsArray) + 290 289 le16_to_cpu(req->ByteCount) > smb_buf_length) { 291 290 goto err_out; 292 291 } ··· 319 320 */ 320 321 static int init_smb1_rsp_hdr(struct ksmbd_work *work) 321 322 { 322 - struct smb_hdr *rsp_hdr = (struct smb_hdr *)work->response_buf; 323 - struct smb_hdr *rcv_hdr = (struct smb_hdr *)work->request_buf; 323 + struct smb_hdr *rsp_hdr = (struct smb_hdr *)smb2_get_msg(work->response_buf); 324 + struct smb_hdr *rcv_hdr = (struct smb_hdr *)smb2_get_msg(work->request_buf); 324 325 325 326 rsp_hdr->Command = SMB_COM_NEGOTIATE; 326 327 *(__le32 *)rsp_hdr->Protocol = SMB1_PROTO_NUMBER; ··· 411 412 412 413 int ksmbd_init_smb_server(struct ksmbd_conn *conn) 413 414 { 415 + struct smb_hdr *rcv_hdr = (struct smb_hdr *)smb2_get_msg(conn->request_buf); 414 416 __le32 proto; 415 417 416 - proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol; 418 + proto = *(__le32 *)rcv_hdr->Protocol; 417 419 if (conn->need_neg == false) { 418 420 if (proto == SMB1_PROTO_NUMBER) 419 421 return -EINVAL; ··· 572 572 573 573 static int smb_handle_negotiate(struct ksmbd_work *work) 574 574 { 575 - struct smb_negotiate_rsp *neg_rsp = work->response_buf; 575 + struct smb_negotiate_rsp *neg_rsp = smb2_get_msg(work->response_buf); 576 576 577 577 ksmbd_debug(SMB, "Unsupported SMB1 protocol\n"); 578 578 579 - if (ksmbd_iov_pin_rsp(work, (void *)neg_rsp + 4, 580 - sizeof(struct smb_negotiate_rsp) - 4)) 579 + if (ksmbd_iov_pin_rsp(work, (void *)neg_rsp, 580 + sizeof(struct smb_negotiate_rsp))) 581 581 return -ENOMEM; 582 582 583 583 neg_rsp->hdr.Status.CifsError = STATUS_SUCCESS;