Commit 6c69b872 authored by Namjae Jeon's avatar Namjae Jeon Committed by ZhaoLong Wang
Browse files

ksmbd: limit pdu length size according to connection status 

mainline inclusion
from mainline-v6.3-rc1
commit 62c487b5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62c487b53a7ff31e322cf2874d3796b8202c54a5



--------------------------------

Stream protocol length will never be larger than 16KB until session setup.
After session setup, the size of requests will not be larger than
16KB + SMB2 MAX WRITE size. This patch limits these invalidly oversized
requests and closes the connection immediately.

Fixes: 0626e664 ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>

Conflicts:
    fs/ksmbd/smb2pdu.h
parent 03630ee1

fs/ksmbd/connection.c

+15 −2
Original line number Diff line number Diff line
@@ -274,7 +274,7 @@ int ksmbd_conn_handler_loop(void *p) 
{

	struct ksmbd_conn *conn = (struct ksmbd_conn *)p;

	struct ksmbd_transport *t = conn->transport;

	unsigned int pdu_size;

	unsigned int pdu_size, max_allowed_pdu_size;

	char hdr_buf[4] = {0,};

	int size;
@@ -299,13 +299,26 @@ int ksmbd_conn_handler_loop(void *p) 
		pdu_size = get_rfc1002_len(hdr_buf);

		ksmbd_debug(CONN, "RFC1002 header %u bytes\n", pdu_size);



		if (conn->status == KSMBD_SESS_GOOD)

			max_allowed_pdu_size =

				SMB3_MAX_MSGSIZE + conn->vals->max_write_size;

		else

			max_allowed_pdu_size = SMB3_MAX_MSGSIZE;



		if (pdu_size > max_allowed_pdu_size) {

			pr_err_ratelimited("PDU length(%u) excceed maximum allowed pdu size(%u) on connection(%d)\n",

					pdu_size, max_allowed_pdu_size,

					conn->status);

			break;

		}



		/*

		 * Check if pdu size is valid (min : smb header size,

		 * max : 0x00FFFFFF).

		 */

		if (pdu_size < __SMB2_HEADER_STRUCTURE_SIZE ||

		    pdu_size > MAX_STREAM_PROT_LEN) {

			continue;

			break;

		}



		/* 4 for rfc1002 length field */

fs/ksmbd/smb2pdu.h

+3 −2
Original line number Diff line number Diff line
@@ -115,6 +115,7 @@ 
#define SMB3_DEFAULT_TRANS_SIZE	(1024 * 1024)

#define SMB3_MIN_IOSIZE		(64 * 1024)

#define SMB3_MAX_IOSIZE		(8 * 1024 * 1024)

#define SMB3_MAX_MSGSIZE	(4 * 4096)



/*

 * SMB2 Header Definition