Commit d72a9c15 authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: fix invalid request buffer access in compound 



Ronnie reported invalid request buffer access in chained command when
inserting garbage value to NextCommand of compound request.
This patch add validation check to avoid this issue.

Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Tested-by: default avatarSteve French <smfrench@gmail.com>
Reviewed-by: default avatarSteve French <smfrench@gmail.com>
Acked-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 18d46769

fs/ksmbd/smb2pdu.c

+11 −2
Original line number Diff line number Diff line
@@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) 
bool is_chained_smb2_message(struct ksmbd_work *work)

{

	struct smb2_hdr *hdr = work->request_buf;

	unsigned int len;

	unsigned int len, next_cmd;



	if (hdr->ProtocolId != SMB2_PROTO_NUMBER)

		return false;



	hdr = ksmbd_req_buf_next(work);

	if (le32_to_cpu(hdr->NextCommand) > 0) {

	next_cmd = le32_to_cpu(hdr->NextCommand);

	if (next_cmd > 0) {

		if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +

			__SMB2_HEADER_STRUCTURE_SIZE >

		    get_rfc1002_len(work->request_buf)) {

			pr_err("next command(%u) offset exceeds smb msg size\n",

			       next_cmd);

			return false;

		}



		ksmbd_debug(SMB, "got SMB2 chained command\n");

		init_chained_smb2_rsp(work);

		return true;