Commit 9f3ebbef authored Sep 29, 2023 by Linus Torvalds

Merge tag '6.6-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:
 "Two SMB3 server fixes for null pointer dereferences:

   - invalid SMB3 request case (fixes issue found in testing the read
     compound patch)

   - iovec error case in response processing"

* tag '6.6-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: check iov vector index in ksmbd_conn_write()
  ksmbd: return invalid parameter error response if smb2 request is invalid

parents 14c06b91 73f949ea

fs/smb/server/connection.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -197,6 +197,9 @@ int ksmbd_conn_write(struct ksmbd_work *work)
		if (work->send_no_response)
		return 0;

		if (!work->iov_idx)
		return -EINVAL;

		ksmbd_conn_lock(conn);
		sent = conn->transport->ops->writev(conn->transport, work->iov,
		work->iov_cnt,

fs/smb/server/server.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -115,8 +115,10 @@ static int __process_request(struct ksmbd_work work, struct ksmbd_conn conn,
		if (check_conn_state(work))
		return SERVER_HANDLER_CONTINUE;

		if (ksmbd_verify_smb_message(work))
		if (ksmbd_verify_smb_message(work)) {
		conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);
		return SERVER_HANDLER_ABORT;
		}

		command = conn->ops->get_cmd_val(work);
		*cmd = command;

fs/smb/server/smb2misc.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -440,10 +440,8 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)

		validate_credit:
		if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&
		smb2_validate_credit_charge(work->conn, hdr)) {
		work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);
		smb2_validate_credit_charge(work->conn, hdr))
		return 1;
		}

		return 0;
		}