Commit ed1f75af authored Oct 19, 2023 by Marios Makassikis Committed by ZhaoLong Wang Oct 19, 2023

ksmbd: send proper error response in smb2_tree_connect()

mainline inclusion
from mainline-v6.2-rc4
commit cdfb2fef
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I74FNG
CVE: CVE-2023-2593

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cdfb2fef522d0c3f9cf293db51de88e9b3d46846



--------------------------------

Currently, smb2_tree_connect doesn't send an error response packet on
error.

This causes libsmb2 to skip the specific error code and fail with the
following:
 smb2_service failed with : Failed to parse fixed part of command
 payload. Unexpected size of Error reply. Expected 9, got 8

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>

parent be1df69d

fs/ksmbd/smb2pdu.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -1980,13 +1980,13 @@ int smb2_tree_connect(struct ksmbd_work *work)
		if (conn->posix_ext_supported)
		status.tree_conn->posix_extensions = true;

		out_err1:
		rsp->StructureSize = cpu_to_le16(16);
		inc_rfc1001_len(work->response_buf, 16);
		out_err1:
		rsp->Capabilities = 0;
		rsp->Reserved = 0;
		/* default manual caching */
		rsp->ShareFlags = SMB2_SHAREFLAG_MANUAL_CACHING;
		inc_rfc1001_len(work->response_buf, 16);

		if (!IS_ERR(treename))
		kfree(treename);
		@@ -2018,6 +2018,9 @@ int smb2_tree_connect(struct ksmbd_work *work)
		rsp->hdr.Status = STATUS_ACCESS_DENIED;
		}

		if (status.ret != KSMBD_TREE_CONN_STATUS_OK)
		smb2_set_err_rsp(work);

		return rc;
		}