Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
ksmbd: fix transform header validation
Validate that the transform and smb request headers are present
before checking OriginalMessageSize and SessionId fields.
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Tom Talpey <tom@talpey.com>
Acked-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
authored by Namjae Jeon and committed by Steve French 4227f811 8f77150c
+9
-9
fs/ksmbd/smb2pdu.c
+9
-9
fs/ksmbd/smb2pdu.c
···
8414
unsigned int buf_data_size = pdu_length + 4 -
8415
sizeof(struct smb2_transform_hdr);
8416
struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf;
8417
-
unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
8418
int rc = 0;
8419
-
8420
-
sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId));
8421
-
if (!sess) {
8422
-
pr_err("invalid session id(%llx) in transform header\n",
8423
-
le64_to_cpu(tr_hdr->SessionId));
8424
-
return -ECONNABORTED;
8425
-
}
8426
8427
if (pdu_length + 4 <
8428
sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) {
···
8423
return -ECONNABORTED;
8424
}
8425
8426
-
if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) {
8427
pr_err("Transform message is broken\n");
8428
return -ECONNABORTED;
8429
}
8430
···
8414
unsigned int buf_data_size = pdu_length + 4 -
8415
sizeof(struct smb2_transform_hdr);
8416
struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf;
8417
int rc = 0;
8418
8419
if (pdu_length + 4 <
8420
sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) {
···
8431
return -ECONNABORTED;
8432
}
8433
8434
+
if (pdu_length + 4 <
8435
+
le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) {
8436
pr_err("Transform message is broken\n");
8437
+
return -ECONNABORTED;
8438
+
}
8439
+
8440
+
sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId));
8441
+
if (!sess) {
8442
+
pr_err("invalid session id(%llx) in transform header\n",
8443
+
le64_to_cpu(tr_hdr->SessionId));
8444
return -ECONNABORTED;
8445
}
8446