Commit 7a334887 authored by Ralph Boehme's avatar Ralph Boehme Committed by Steve French
Browse files

ksmbd: validate credit charge after validating SMB2 PDU body size 



smb2_validate_credit_charge() accesses fields in the SMB2 PDU body,
but until smb2_calc_size() is called the PDU has not yet been verified
to be large enough to access the PDU dynamic part length field.

Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarRalph Boehme <slow@samba.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 2ea086e3

fs/ksmbd/smb2misc.c

+10 −9
Original line number Diff line number Diff line
@@ -400,26 +400,20 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) 
		}

	}



	if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&

	    smb2_validate_credit_charge(work->conn, hdr)) {

		work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);

		return 1;

	}



	if (smb2_calc_size(hdr, &clc_len))

		return 1;



	if (len != clc_len) {

		/* client can return one byte more due to implied bcc[0] */

		if (clc_len == len + 1)

			return 0;

			goto validate_credit;



		/*

		 * Some windows servers (win2016) will pad also the final

		 * PDU in a compound to 8 bytes.

		 */

		if (ALIGN(clc_len, 8) == len)

			return 0;

			goto validate_credit;



		/*

		 * windows client also pad up to 8 bytes when compounding.
@@ -432,7 +426,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) 
				    "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n",

				    len, clc_len, command,

				    le64_to_cpu(hdr->MessageId));

			return 0;

			goto validate_credit;

		}



		ksmbd_debug(SMB,
@@ -443,6 +437,13 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) 
		return 1;

	}



validate_credit:

	if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&

	    smb2_validate_credit_charge(work->conn, hdr)) {

		work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);

		return 1;

	}



	return 0;

}