Unverified Commit 233fd117 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!1752 ksmbd: validate session id and tree id in the compound request 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhong Jinghua <zhongjinghua@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/J6ULAZDMFVS5TNUN6D7IIEPIA7NSJMZK/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7T0US 
 
Link:https://gitee.com/openeuler/kernel/pulls/1752

 

Reviewed-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 83500aaf fe515a66

fs/ksmbd/server.c

+20 −13
Original line number Diff line number Diff line
@@ -185,16 +185,24 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, 
		goto send;

	}



	do {

		if (conn->ops->check_user_session) {

			rc = conn->ops->check_user_session(work);

			if (rc < 0) {

			command = conn->ops->get_cmd_val(work);

				if (rc == -EINVAL)

					conn->ops->set_rsp_status(work,

						STATUS_INVALID_PARAMETER);

				else

					conn->ops->set_rsp_status(work,

						STATUS_USER_SESSION_DELETED);

				goto send;

			} else if (rc > 0) {

				rc = conn->ops->get_ksmbd_tcon(work);

				if (rc < 0) {

					if (rc == -EINVAL)

						conn->ops->set_rsp_status(work,

							STATUS_INVALID_PARAMETER);

					else

						conn->ops->set_rsp_status(work,

							STATUS_NETWORK_NAME_DELETED);

					goto send;
@@ -202,7 +210,6 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, 
			}

		}



	do {

		rc = __process_request(work, conn, &command);

		if (rc == SERVER_HANDLER_ABORT)

			break;

fs/ksmbd/smb2pdu.c

+39 −5
Original line number Diff line number Diff line
@@ -90,7 +90,6 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) 
	unsigned int cmd = le16_to_cpu(req_hdr->Command);

	int tree_id;



	work->tcon = NULL;

	if (cmd == SMB2_TREE_CONNECT_HE ||

	    cmd ==  SMB2_CANCEL_HE ||

	    cmd ==  SMB2_LOGOFF_HE) {
@@ -104,10 +103,28 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) 
	}



	tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId);



	/*

	 * If request is not the first in Compound request,

	 * Just validate tree id in header with work->tcon->id.

	 */

	if (work->next_smb2_rcv_hdr_off) {

		if (!work->tcon) {

			pr_err("The first operation in the compound does not have tcon\n");

			return -EINVAL;

		}

		if (work->tcon->id != tree_id) {

			pr_err("tree id(%u) is different with id(%u) in first operation\n",

					tree_id, work->tcon->id);

			return -EINVAL;

		}

		return 1;

	}



	work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id);

	if (!work->tcon) {

		pr_err("Invalid tid %d\n", tree_id);

		return -EINVAL;

		return -ENOENT;

	}



	return 1;
@@ -564,7 +581,6 @@ int smb2_check_user_session(struct ksmbd_work *work) 
	unsigned int cmd = conn->ops->get_cmd_val(work);

	unsigned long long sess_id;



	work->sess = NULL;

	/*

	 * SMB2_ECHO, SMB2_NEGOTIATE, SMB2_SESSION_SETUP command do not

	 * require a session id, so no need to validate user session's for
@@ -575,15 +591,33 @@ int smb2_check_user_session(struct ksmbd_work *work) 
		return 0;



	if (!ksmbd_conn_good(conn))

		return -EINVAL;

		return -EIO;



	sess_id = le64_to_cpu(req_hdr->SessionId);



	/*

	 * If request is not the first in Compound request,

	 * Just validate session id in header with work->sess->id.

	 */

	if (work->next_smb2_rcv_hdr_off) {

		if (!work->sess) {

			pr_err("The first operation in the compound does not have sess\n");

			return -EINVAL;

		}

		if (work->sess->id != sess_id) {

			pr_err("session id(%llu) is different with the first operation(%lld)\n",

					sess_id, work->sess->id);

			return -EINVAL;

		}

		return 1;

	}



	/* Check for validity of user session */

	work->sess = ksmbd_session_lookup_all(conn, sess_id);

	if (work->sess)

		return 1;

	ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id);

	return -EINVAL;

	return -ENOENT;

}



static void destroy_previous_session(struct ksmbd_conn *conn,