tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ksmbd: validate credit charge after validating SMB2 PDU body size

smb2_validate_credit_charge() accesses fields in the SMB2 PDU body,
but until smb2_calc_size() is called the PDU has not yet been verified
to be large enough to access the PDU dynamic part length field.

Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by Ralph Boehme and committed by Steve French 7a334887 2ea086e3

+10 -9
unified split
+10 -9
fs/ksmbd/smb2misc.c
··· 400 400 } 401 401 } 402 402 403 - if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && 404 - smb2_validate_credit_charge(work->conn, hdr)) { 405 - work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); 406 - return 1; 407 - } 408 - 409 403 if (smb2_calc_size(hdr, &clc_len)) 410 404 return 1; 411 405 412 406 if (len != clc_len) { 413 407 /* client can return one byte more due to implied bcc[0] */ 414 408 if (clc_len == len + 1) 415 - return 0; 409 + goto validate_credit; 416 410 417 411 /* 418 412 * Some windows servers (win2016) will pad also the final 419 413 * PDU in a compound to 8 bytes. 420 414 */ 421 415 if (ALIGN(clc_len, 8) == len) 422 - return 0; 416 + goto validate_credit; 423 417 424 418 /* 425 419 * windows client also pad up to 8 bytes when compounding. ··· 426 432 "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n", 427 433 len, clc_len, command, 428 434 le64_to_cpu(hdr->MessageId)); 429 - return 0; 435 + goto validate_credit; 430 436 } 431 437 432 438 ksmbd_debug(SMB, ··· 434 440 len, clc_len, command, 435 441 le64_to_cpu(hdr->MessageId)); 436 442 443 + return 1; 444 + } 445 + 446 + validate_credit: 447 + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && 448 + smb2_validate_credit_charge(work->conn, hdr)) { 449 + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); 437 450 return 1; 438 451 } 439 452