ksmbd: move leading slash check to smb2_get_name()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If the directory name in the root of the share starts with
character like 镜(0x955c) or Ṝ(0x1e5c), it (and anything inside)
cannot be accessed. The leading slash check must be checked after
converting unicode to nls string.

Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Namjae Jeon and committed by

Steve French 2 years ago 1cdeca6a 83a7eefe

+6 -9

1 changed file

expand all

smb

server

smb2pdu.c

+6 -9

fs/smb/server/smb2pdu.c

··· 630 630 return name; 631 631 } 632 632 633 + if (*name == '\\') { 634 + pr_err("not allow directory name included leading slash\n"); 635 + kfree(name); 636 + return ERR_PTR(-EINVAL); 637 + } 638 + 633 639 ksmbd_conv_path_to_unix(name); 634 640 ksmbd_strip_last_slash(name); 635 641 return name; ··· 2848 2842 } 2849 2843 2850 2844 if (req->NameLength) { 2851 - if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) && 2852 - *(char *)req->Buffer == '\\') { 2853 - pr_err("not allow directory name included leading slash\n"); 2854 - rc = -EINVAL; 2855 - goto err_out2; 2856 - } 2857 - 2858 2845 name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset), 2859 2846 le16_to_cpu(req->NameLength), 2860 2847 work->conn->local_nls); 2861 2848 if (IS_ERR(name)) { 2862 2849 rc = PTR_ERR(name); 2863 - if (rc != -ENOMEM) 2864 - rc = -ENOENT; 2865 2850 name = NULL; 2866 2851 goto err_out2; 2867 2852 }