Commit c7705eec authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: use buf_data_size instead of recalculation in smb3_decrypt_req() 



Tom suggested to use buf_data_size that is already calculated, to verify
these offsets.

Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Suggested-by: default avatarTom Talpey <tom@talpey.com>
Acked-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 51a13873

fs/ksmbd/smb2pdu.c

+3 −5
Original line number Diff line number Diff line
@@ -8395,20 +8395,18 @@ int smb3_decrypt_req(struct ksmbd_work *work) 
	struct smb2_hdr *hdr;

	unsigned int pdu_length = get_rfc1002_len(buf);

	struct kvec iov[2];

	unsigned int buf_data_size = pdu_length + 4 -

	int buf_data_size = pdu_length + 4 -

		sizeof(struct smb2_transform_hdr);

	struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf;

	int rc = 0;



	if (pdu_length + 4 <

	    sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) {

	if (buf_data_size < sizeof(struct smb2_hdr)) {

		pr_err("Transform message is too small (%u)\n",

		       pdu_length);

		return -ECONNABORTED;

	}



	if (pdu_length + 4 <

	    le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) {

	if (buf_data_size < le32_to_cpu(tr_hdr->OriginalMessageSize)) {

		pr_err("Transform message is broken\n");

		return -ECONNABORTED;

	}