diff mbox series

[2/2] ksmbd: check iov vector index in ksmbd_conn_write()

Message ID 20230919144740.52610-2-linkinjeon@kernel.org (mailing list archive)
State New, archived
Headers show
Series [1/2] ksmbd: return invalid parameter error response if smb2 request is invalid | expand

Commit Message

Namjae Jeon Sept. 19, 2023, 2:47 p.m. UTC 
If ->iov_idx is zero, This means that the iov vector for the response
was not added during the request process. In other words, it means that
there is a problem in generating a response, So this patch dump the command
information in the request and returned as an error to avoid NULL pointer
dereferencing problem.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/smb/server/connection.c |  6 ++++++
 fs/smb/server/misc.c       | 15 +++++++++++++++
 fs/smb/server/misc.h       |  2 ++
 3 files changed, 23 insertions(+)
diff mbox series

Patch

diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index 0d990c2f33cd..4e4133b3a4c9 100644
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -14,6 +14,7 @@ 
 #include "connection.h"
 #include "transport_tcp.h"
 #include "transport_rdma.h"
+#include "misc.h"
 
 static DEFINE_MUTEX(init_lock);
 
@@ -197,6 +198,11 @@  int ksmbd_conn_write(struct ksmbd_work *work)
 	if (work->send_no_response)
 		return 0;
 
+	if (!work->iov_idx) {
+		ksmbd_dump_commands(work);
+		return -EINVAL;
+	}
+
 	ksmbd_conn_lock(conn);
 	sent = conn->transport->ops->writev(conn->transport, work->iov,
 			work->iov_cnt,
diff --git a/fs/smb/server/misc.c b/fs/smb/server/misc.c
index 9e8afaa686e3..0e44ce850575 100644
--- a/fs/smb/server/misc.c
+++ b/fs/smb/server/misc.c
@@ -379,3 +379,18 @@  inline long long ksmbd_systime(void)
 	ktime_get_real_ts64(&ts);
 	return ksmbd_UnixTimeToNT(ts);
 }
+
+void ksmbd_dump_commands(struct ksmbd_work *work)
+{
+	char *buf = (char *)work->request_buf + 4;
+	struct smb2_hdr *hdr;
+
+	pr_err("Dump commands in request\n");
+	do {
+		hdr = (struct smb2_hdr *)buf;
+		pr_err("Command : 0x%x, Next offset : %u\n",
+		       le16_to_cpu(hdr->Command),
+		       le32_to_cpu(hdr->NextCommand));
+		buf += le32_to_cpu(hdr->NextCommand);
+	} while (hdr->NextCommand);
+}
diff --git a/fs/smb/server/misc.h b/fs/smb/server/misc.h
index 1facfcd21200..3aef766fc722 100644
--- a/fs/smb/server/misc.h
+++ b/fs/smb/server/misc.h
@@ -10,6 +10,7 @@  struct ksmbd_share_config;
 struct nls_table;
 struct kstat;
 struct ksmbd_file;
+struct ksmbd_work;
 
 int match_pattern(const char *str, size_t len, const char *pattern);
 int ksmbd_validate_filename(char *filename);
@@ -23,6 +24,7 @@  void ksmbd_conv_path_to_windows(char *path);
 char *ksmbd_casefold_sharename(struct unicode_map *um, const char *name);
 char *ksmbd_extract_sharename(struct unicode_map *um, const char *treename);
 char *convert_to_unix_name(struct ksmbd_share_config *share, const char *name);
+void ksmbd_dump_commands(struct ksmbd_work *work);
 
 #define KSMBD_DIR_INFO_ALIGNMENT	8
 struct ksmbd_dir_info;