Commit 6586c4d4 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag '6.3-rc6-ksmbd-server-fix' of git://git.samba.org/ksmbd 

Pull ksmbd server fix from Steve French:
 "smb311 server preauth integrity negotiate context parsing fix (check
  for out of bounds access)"

* tag '6.3-rc6-ksmbd-server-fix' of git://git.samba.org/ksmbd:
  ksmbd: avoid out of bounds access in decode_preauth_ctxt()
parents 3e7bb4f2 e7067a44

fs/ksmbd/smb2pdu.c

+14 −9
Original line number Diff line number Diff line
@@ -876,17 +876,21 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn, 
}



static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,

				  struct smb2_preauth_neg_context *pneg_ctxt)

				  struct smb2_preauth_neg_context *pneg_ctxt,

				  int len_of_ctxts)

{

	__le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;

	/*

	 * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,

	 * which may not be present. Only check for used HashAlgorithms[1].

	 */

	if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)

		return STATUS_INVALID_PARAMETER;



	if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) {

		conn->preauth_info->Preauth_HashId =

			SMB2_PREAUTH_INTEGRITY_SHA512;

		err = STATUS_SUCCESS;

	}

	if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)

		return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;



	return err;

	conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512;

	return STATUS_SUCCESS;

}



static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
@@ -1014,7 +1018,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn, 
				break;



			status = decode_preauth_ctxt(conn,

						     (struct smb2_preauth_neg_context *)pctx);

						     (struct smb2_preauth_neg_context *)pctx,

						     len_of_ctxts);

			if (status != STATUS_SUCCESS)

				break;

		} else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {