From patchwork Sat Oct 2 13:11:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532165 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99F6FC433F5 for ; Sat, 2 Oct 2021 13:25:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C46261AF7 for ; Sat, 2 Oct 2021 13:25:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233038AbhJBN1A (ORCPT ); Sat, 2 Oct 2021 09:27:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1A (ORCPT ); Sat, 2 Oct 2021 09:27:00 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3647AC0613EC for ; Sat, 2 Oct 2021 06:25:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=5hAfwrhGJImpHft8YW0KFLOp0dMZ1hNydIR2TVPmsEs=; b=q8U5YTEpC9e2neA5o0uBFbksiI EgRhe8zWBJRdHE5WjfPpgFL0cqc32uh1mW+ROhAYRjFocyVx35ZoMYT3jRpGypdrfPXGonIxiSISi K5YWVDsnRDLb5mnzaLk8q5JeT37P5+wplUFwv/B/WjG7wd5qlLB/RWlcJgbLeNwRfqQAlypqZRm79 klqE/9Z4qFW2q6dZi5StSCAUd2DYuGUxZJSEbW/yBk9CpCmpYJ9gUpOzPM2TvYXC2rUPYaRZ6Mxhd Ld8Eorrivcqg9q9W8gQzfKshzI/TYWB59czgXky+AVPv+RSIKMQTfqEwb6LIZyz/GG3S9iyuwilb5 bx6DhRJOwDVQwWilZWJK3zEvetnfktzhcL5iVaQr5fGmfPyDTEloSBRJrpG99AedbbdMM7YWN3eJg ImJfbKnTdtbUZN2xvmLW6R/KNJnpj/9tN1b/6TTP3mVtzo2cBfnacSuQ0UddQGWau026RIGWkz4iZ bk/2RezrVnQp7klRV4G9mhPd; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoN-001DcY-OX; Sat, 02 Oct 2021 13:12:19 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v6 01/14] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Date: Sat, 2 Oct 2021 15:11:59 +0200 Message-Id: <20211002131212.130629-2-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon This patch add MAX_STREAM_PROT_LEN macro and check if stream protocol length exceeds maximum value. opencode pdu size check in ksmbd_pdu_size_has_room(). Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/connection.c | 9 +++++---- fs/ksmbd/smb_common.c | 6 ------ fs/ksmbd/smb_common.h | 4 ++-- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c index af086d35398a..e50353c50661 100644 --- a/fs/ksmbd/connection.c +++ b/fs/ksmbd/connection.c @@ -296,10 +296,11 @@ int ksmbd_conn_handler_loop(void *p) pdu_size = get_rfc1002_len(hdr_buf); ksmbd_debug(CONN, "RFC1002 header %u bytes\n", pdu_size); - /* make sure we have enough to get to SMB header end */ - if (!ksmbd_pdu_size_has_room(pdu_size)) { - ksmbd_debug(CONN, "SMB request too short (%u bytes)\n", - pdu_size); + /* + * Check if pdu size is valid (min : smb header size, + * max : 0x00FFFFFF). + */ + if (pdu_size > MAX_STREAM_PROT_LEN) { continue; } diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index db8042a173d0..b6c4c7e960fa 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -21,7 +21,6 @@ static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; #define MAGIC_CHAR '~' #define PERIOD '.' #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE])) -#define KSMBD_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr)) struct smb_protocol { int index; @@ -294,11 +293,6 @@ int ksmbd_init_smb_server(struct ksmbd_work *work) return 0; } -bool ksmbd_pdu_size_has_room(unsigned int pdu) -{ - return (pdu >= KSMBD_MIN_SUPPORTED_HEADER_SIZE - 4); -} - int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, struct ksmbd_file *dir, struct ksmbd_dir_info *d_info, diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h index 994abede27e9..6e79e7577f6b 100644 --- a/fs/ksmbd/smb_common.h +++ b/fs/ksmbd/smb_common.h @@ -48,6 +48,8 @@ #define CIFS_DEFAULT_IOSIZE (64 * 1024) #define MAX_CIFS_SMALL_BUFFER_SIZE 448 /* big enough for most */ +#define MAX_STREAM_PROT_LEN 0x00FFFFFF + /* Responses when opening a file. */ #define F_SUPERSEDED 0 #define F_OPENED 1 @@ -493,8 +495,6 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); int ksmbd_init_smb_server(struct ksmbd_work *work); -bool ksmbd_pdu_size_has_room(unsigned int pdu); - struct ksmbd_kstat; int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, From patchwork Sat Oct 2 13:12:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532183 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AE66C433EF for ; Sat, 2 Oct 2021 13:25:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 69A3061B08 for ; Sat, 2 Oct 2021 13:25:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233271AbhJBN1Z (ORCPT ); Sat, 2 Oct 2021 09:27:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1Z (ORCPT ); Sat, 2 Oct 2021 09:27:25 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42135C0613EC for ; Sat, 2 Oct 2021 06:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=cumPoweXiMTlArFz0aCGrTRSSFw8NWcUtvJGPL7Gglc=; b=D4PzkhSRv6szA5MRmkByHEe0FW w8d0APvEVxGpKBaTOMPzmbqHFNJ6jMwNssis1XjIKzSEMrBVLsd83tVYsbn/2lEMOizECyZyE7bF1 GS5T+pqIxCMn6ipoaHVSWzwAYXpn0vuZCjKiQxeMEdD3RI3cgUsdkM3Cucws55e8BMmu5OhSBs1TM pMXNdnaZYyxV9cusfki+usXoau3GVTF693xJre4HknKbVLfx8nPi2OuDUH2yDTfZUm/V2fD32Ch86 UFBev4ut65Ekf1e7K3TnKWOHL9O1OQSfg4ilZZ+VvrZ7oOdH5uXZFpOB3QR1NkpAuUYHsVLlwCe9/ w2dvv2N8T4xNstf1xIiKAOgNHPrw5gZXBZCtUeR2l7KN0cct0cHcwG5FB7hoOpLPnAQtul4WlMv64 Na31x6sfBxkmXAOAkBOas/LwzuOnULPwcMEbUoo8U+i2vYmBWva2MaJJVIwdHRMMXxkRwC4JD/zfS gKp6ZzJVh318gbMSqP7q0/1a; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoO-001DcY-Ck; Sat, 02 Oct 2021 13:12:20 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v6 02/14] ksmbd: add validation in smb2_ioctl Date: Sat, 2 Oct 2021 15:12:00 +0200 Message-Id: <20211002131212.130629-3-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Add validation for request/response buffer size check in smb2_ioctl and fsctl_copychunk() take copychunk_ioctl_req pointer and the other arguments instead of smb2_ioctl_req structure and remove an unused smb2_ioctl_req argument of fsctl_validate_negotiate_info. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2pdu.c | 105 ++++++++++++++++++++++++++++++++++----------- fs/ksmbd/vfs.c | 2 +- fs/ksmbd/vfs.h | 2 +- 3 files changed, 83 insertions(+), 26 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index dcf907738610..3476cacd2784 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7044,24 +7044,26 @@ int smb2_lock(struct ksmbd_work *work) return err; } -static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, +static int fsctl_copychunk(struct ksmbd_work *work, + struct copychunk_ioctl_req *ci_req, + unsigned int cnt_code, + unsigned int input_count, + unsigned long long volatile_id, + unsigned long long persistent_id, struct smb2_ioctl_rsp *rsp) { - struct copychunk_ioctl_req *ci_req; struct copychunk_ioctl_rsp *ci_rsp; struct ksmbd_file *src_fp = NULL, *dst_fp = NULL; struct srv_copychunk *chunks; unsigned int i, chunk_count, chunk_count_written = 0; unsigned int chunk_size_written = 0; loff_t total_size_written = 0; - int ret, cnt_code; + int ret = 0; - cnt_code = le32_to_cpu(req->CntCode); - ci_req = (struct copychunk_ioctl_req *)&req->Buffer[0]; ci_rsp = (struct copychunk_ioctl_rsp *)&rsp->Buffer[0]; - rsp->VolatileFileId = req->VolatileFileId; - rsp->PersistentFileId = req->PersistentFileId; + rsp->VolatileFileId = cpu_to_le64(volatile_id); + rsp->PersistentFileId = cpu_to_le64(persistent_id); ci_rsp->ChunksWritten = cpu_to_le32(ksmbd_server_side_copy_max_chunk_count()); ci_rsp->ChunkBytesWritten = @@ -7071,12 +7073,13 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; chunk_count = le32_to_cpu(ci_req->ChunkCount); + if (chunk_count == 0) + goto out; total_size_written = 0; /* verify the SRV_COPYCHUNK_COPY packet */ if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || - le32_to_cpu(req->InputCount) < - offsetof(struct copychunk_ioctl_req, Chunks) + + input_count < offsetof(struct copychunk_ioctl_req, Chunks) + chunk_count * sizeof(struct srv_copychunk)) { rsp->hdr.Status = STATUS_INVALID_PARAMETER; return -EINVAL; @@ -7097,9 +7100,7 @@ static int fsctl_copychunk(struct ksmbd_work *work, struct smb2_ioctl_req *req, src_fp = ksmbd_lookup_foreign_fd(work, le64_to_cpu(ci_req->ResumeKey[0])); - dst_fp = ksmbd_lookup_fd_slow(work, - le64_to_cpu(req->VolatileFileId), - le64_to_cpu(req->PersistentFileId)); + dst_fp = ksmbd_lookup_fd_slow(work, volatile_id, persistent_id); ret = -EINVAL; if (!src_fp || src_fp->persistent_id != le64_to_cpu(ci_req->ResumeKey[1])) { @@ -7174,11 +7175,11 @@ static __be32 idev_ipv4_address(struct in_device *idev) } static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, - struct smb2_ioctl_req *req, - struct smb2_ioctl_rsp *rsp) + struct smb2_ioctl_rsp *rsp, + unsigned int out_buf_len) { struct network_interface_info_ioctl_rsp *nii_rsp = NULL; - int nbytes = 0; + unsigned int nbytes = 0; struct net_device *netdev; struct sockaddr_storage_rsp *sockaddr_storage; unsigned int flags; @@ -7187,6 +7188,10 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, rtnl_lock(); for_each_netdev(&init_net, netdev) { + if (out_buf_len < + nbytes + sizeof(struct network_interface_info_ioctl_rsp)) + break; + if (netdev->type == ARPHRD_LOOPBACK) continue; @@ -7258,6 +7263,8 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, sockaddr_storage->addr6.ScopeId = 0; } + if (out_buf_len - nbytes < sizeof(struct network_interface_info_ioctl_rsp)) + break; nbytes += sizeof(struct network_interface_info_ioctl_rsp); } rtnl_unlock(); @@ -7278,11 +7285,16 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, struct validate_negotiate_info_req *neg_req, - struct validate_negotiate_info_rsp *neg_rsp) + struct validate_negotiate_info_rsp *neg_rsp, + unsigned int in_buf_len) { int ret = 0; int dialect; + if (in_buf_len < sizeof(struct validate_negotiate_info_req) + + le16_to_cpu(neg_req->DialectCount) * sizeof(__le16)) + return -EINVAL; + dialect = ksmbd_lookup_dialect_by_id(neg_req->Dialects, neg_req->DialectCount); if (dialect == BAD_PROT_ID || dialect != conn->dialect) { @@ -7316,7 +7328,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn, static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, struct file_allocated_range_buffer *qar_req, struct file_allocated_range_buffer *qar_rsp, - int in_count, int *out_count) + unsigned int in_count, unsigned int *out_count) { struct ksmbd_file *fp; loff_t start, length; @@ -7343,7 +7355,8 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id, } static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, - int out_buf_len, struct smb2_ioctl_req *req, + unsigned int out_buf_len, + struct smb2_ioctl_req *req, struct smb2_ioctl_rsp *rsp) { struct ksmbd_rpc_command *rpc_resp; @@ -7457,8 +7470,7 @@ int smb2_ioctl(struct ksmbd_work *work) { struct smb2_ioctl_req *req; struct smb2_ioctl_rsp *rsp, *rsp_org; - int cnt_code, nbytes = 0; - int out_buf_len; + unsigned int cnt_code, nbytes = 0, out_buf_len, in_buf_len; u64 id = KSMBD_NO_FID; struct ksmbd_conn *conn = work->conn; int ret = 0; @@ -7487,7 +7499,11 @@ int smb2_ioctl(struct ksmbd_work *work) cnt_code = le32_to_cpu(req->CntCode); out_buf_len = le32_to_cpu(req->MaxOutputResponse); - out_buf_len = min(KSMBD_IPC_MAX_PAYLOAD, out_buf_len); + out_buf_len = + min_t(u32, work->response_sz - work->next_smb2_rsp_hdr_off - + (offsetof(struct smb2_ioctl_rsp, Buffer) - 4), + out_buf_len); + in_buf_len = le32_to_cpu(req->InputCount); switch (cnt_code) { case FSCTL_DFS_GET_REFERRALS: @@ -7515,6 +7531,7 @@ int smb2_ioctl(struct ksmbd_work *work) break; } case FSCTL_PIPE_TRANSCEIVE: + out_buf_len = min_t(u32, KSMBD_IPC_MAX_PAYLOAD, out_buf_len); nbytes = fsctl_pipe_transceive(work, id, out_buf_len, req, rsp); break; case FSCTL_VALIDATE_NEGOTIATE_INFO: @@ -7523,9 +7540,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct validate_negotiate_info_req)) + return -EINVAL; + + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) + return -EINVAL; + ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0], - (struct validate_negotiate_info_rsp *)&rsp->Buffer[0]); + (struct validate_negotiate_info_rsp *)&rsp->Buffer[0], + in_buf_len); if (ret < 0) goto out; @@ -7534,7 +7558,7 @@ int smb2_ioctl(struct ksmbd_work *work) rsp->VolatileFileId = cpu_to_le64(SMB2_NO_FID); break; case FSCTL_QUERY_NETWORK_INTERFACE_INFO: - nbytes = fsctl_query_iface_info_ioctl(conn, req, rsp); + nbytes = fsctl_query_iface_info_ioctl(conn, rsp, out_buf_len); if (nbytes < 0) goto out; break; @@ -7561,15 +7585,33 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct copychunk_ioctl_req)) { + ret = -EINVAL; + goto out; + } + if (out_buf_len < sizeof(struct copychunk_ioctl_rsp)) { ret = -EINVAL; goto out; } nbytes = sizeof(struct copychunk_ioctl_rsp); - fsctl_copychunk(work, req, rsp); + rsp->VolatileFileId = req->VolatileFileId; + rsp->PersistentFileId = req->PersistentFileId; + fsctl_copychunk(work, + (struct copychunk_ioctl_req *)&req->Buffer[0], + le32_to_cpu(req->CntCode), + le32_to_cpu(req->InputCount), + le64_to_cpu(req->VolatileFileId), + le64_to_cpu(req->PersistentFileId), + rsp); break; case FSCTL_SET_SPARSE: + if (in_buf_len < sizeof(struct file_sparse)) { + ret = -EINVAL; + goto out; + } + ret = fsctl_set_sparse(work, id, (struct file_sparse *)&req->Buffer[0]); if (ret < 0) @@ -7588,6 +7630,11 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } + if (in_buf_len < sizeof(struct file_zero_data_information)) { + ret = -EINVAL; + goto out; + } + zero_data = (struct file_zero_data_information *)&req->Buffer[0]; @@ -7607,6 +7654,11 @@ int smb2_ioctl(struct ksmbd_work *work) break; } case FSCTL_QUERY_ALLOCATED_RANGES: + if (in_buf_len < sizeof(struct file_allocated_range_buffer)) { + ret = -EINVAL; + goto out; + } + ret = fsctl_query_allocated_ranges(work, id, (struct file_allocated_range_buffer *)&req->Buffer[0], (struct file_allocated_range_buffer *)&rsp->Buffer[0], @@ -7647,6 +7699,11 @@ int smb2_ioctl(struct ksmbd_work *work) struct duplicate_extents_to_file *dup_ext; loff_t src_off, dst_off, length, cloned; + if (in_buf_len < sizeof(struct duplicate_extents_to_file)) { + ret = -EINVAL; + goto out; + } + dup_ext = (struct duplicate_extents_to_file *)&req->Buffer[0]; fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle, diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c index b41954294d38..835b384b0895 100644 --- a/fs/ksmbd/vfs.c +++ b/fs/ksmbd/vfs.c @@ -1023,7 +1023,7 @@ int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, - int in_count, int *out_count) + unsigned int in_count, unsigned int *out_count) { struct file *f = fp->filp; struct inode *inode = file_inode(fp->filp); diff --git a/fs/ksmbd/vfs.h b/fs/ksmbd/vfs.h index 7b1dcaa3fbdc..b0d5b8feb4a3 100644 --- a/fs/ksmbd/vfs.h +++ b/fs/ksmbd/vfs.h @@ -166,7 +166,7 @@ int ksmbd_vfs_zero_data(struct ksmbd_work *work, struct ksmbd_file *fp, struct file_allocated_range_buffer; int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length, struct file_allocated_range_buffer *ranges, - int in_count, int *out_count); + unsigned int in_count, unsigned int *out_count); int ksmbd_vfs_unlink(struct user_namespace *user_ns, struct dentry *dir, struct dentry *dentry); void *ksmbd_vfs_init_kstat(char **p, struct ksmbd_kstat *ksmbd_kstat); From patchwork Sat Oct 2 13:12:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532167 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28090C433EF for ; Sat, 2 Oct 2021 13:25:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0AEB361B08 for ; Sat, 2 Oct 2021 13:25:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233103AbhJBN1D (ORCPT ); Sat, 2 Oct 2021 09:27:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1C (ORCPT ); Sat, 2 Oct 2021 09:27:02 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB11DC0613EC for ; Sat, 2 Oct 2021 06:25:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=CS++xHYXmyIeHCPSon04GbD9+ipfeR7qC+fuTRWOWg0=; b=YshtUz9xRs/Ll0weB0jrLotP6y cyVS5usIMb23+AJU1NONep1lAN4AXvODxWZmy7wGEHnz5Zvfm022Ou3KiVZ8aSwwLfDDn/ruW9p0J Nfu4rzh++Plj/z0uyyBwp/PFyVHG3OozPFTXkS4A1do0CL4KxkMy01HEZrKo2+1NmymkXDd3q9vQC yIb0/Xko2PtqaustZzmf68nIVamKGhk0QKG0yBbKviSsGtXnL+Hr528wlEWKvCndi/Q/Hv6W6BZEv fK+qg9RkBJQx0IhJ1QgACkR15Kf1qtigRr2fJNTYbjO20E4JGenlkOLH82qiM97/ScE8bpx+WH5ZW R5v8w52c8f526FlCMflzzcXRslWxuTLWGUyHWhSimOIJuyQRnRblHV1SG08Ua3p74e8E/D0zyp2Fy HZTvxn/I5ZzGmhCyUWqby4bJlhBRZXjyJiiijUM2VpzCAYvt5h336Ue0otT7wH0B/UFzUHf4tKktU s06dyIJWI6PDnsNsYfnYPdwV; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoP-001DcY-1R; Sat, 02 Oct 2021 13:12:21 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v6 03/14] ksmbd: check strictly data area in ksmbd_smb2_check_message() Date: Sat, 2 Oct 2021 15:12:01 +0200 Message-Id: <20211002131212.130629-4-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon When invalid data offset and data length in request, ksmbd_smb2_check_message check strictly and doesn't allow to process such requests. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Acked-by: Hyunchul Lee Reviewed-by: Ralph Boehme Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2misc.c | 98 ++++++++++++++++++++++----------------------- 1 file changed, 47 insertions(+), 51 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 9aa46bb3e10d..9edd9c161b27 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -80,18 +80,21 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { }; /* - * Returns the pointer to the beginning of the data area. Length of the data - * area and the offset to it (from the beginning of the smb are also returned. + * Set length of the data area and the offset to arguments. + * if they are invalid, return error. */ -static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) +static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, + struct smb2_hdr *hdr) { + int ret = 0; + *off = 0; *len = 0; /* error reqeusts do not have data area */ if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) - return NULL; + return ret; /* * Following commands have data areas so we have to get the location @@ -165,69 +168,60 @@ static char *smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr) case SMB2_IOCTL: *off = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset); *len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount); - break; default: ksmbd_debug(SMB, "no length check for command\n"); break; } - /* - * Invalid length or offset probably means data area is invalid, but - * we have little choice but to ignore the data area in this case. - */ if (*off > 4096) { - ksmbd_debug(SMB, "offset %d too large, data area ignored\n", - *off); - *len = 0; - *off = 0; - } else if (*off < 0) { - ksmbd_debug(SMB, - "negative offset %d to data invalid ignore data area\n", - *off); - *off = 0; - *len = 0; - } else if (*len < 0) { - ksmbd_debug(SMB, - "negative data length %d invalid, data area ignored\n", - *len); - *len = 0; - } else if (*len > 128 * 1024) { - ksmbd_debug(SMB, "data area larger than 128K: %d\n", *len); - *len = 0; + ksmbd_debug(SMB, "offset %d too large\n", *off); + ret = -EINVAL; + } else if ((u64)*off + *len > MAX_STREAM_PROT_LEN) { + ksmbd_debug(SMB, "Request is larger than maximum stream protocol length(%u): %llu\n", + MAX_STREAM_PROT_LEN, (u64)*off + *len); + ret = -EINVAL; } - /* return pointer to beginning of data area, ie offset from SMB start */ - if ((*off != 0) && (*len != 0)) - return (char *)hdr + *off; - else - return NULL; + return ret; } /* * Calculate the size of the SMB message based on the fixed header * portion, the number of word parameters and the data portion of the message. */ -static unsigned int smb2_calc_size(void *buf) +static int smb2_calc_size(void *buf, unsigned int *len) { struct smb2_pdu *pdu = (struct smb2_pdu *)buf; struct smb2_hdr *hdr = &pdu->hdr; - int offset; /* the offset from the beginning of SMB to data area */ - int data_length; /* the length of the variable length data area */ + unsigned int offset; /* the offset from the beginning of SMB to data area */ + unsigned int data_length; /* the length of the variable length data area */ + int ret; + /* Structure Size has already been checked to make sure it is 64 */ - int len = le16_to_cpu(hdr->StructureSize); + *len = le16_to_cpu(hdr->StructureSize); /* * StructureSize2, ie length of fixed parameter area has already * been checked to make sure it is the correct length. */ - len += le16_to_cpu(pdu->StructureSize2); + *len += le16_to_cpu(pdu->StructureSize2); + /* + * StructureSize2 of smb2_lock pdu is set to 48, indicating + * the size of smb2 lock request with single smb2_lock_element + * regardless of number of locks. Subtract single + * smb2_lock_element for correct buffer size check. + */ + if (hdr->Command == SMB2_LOCK) + *len -= sizeof(struct smb2_lock_element); if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false) goto calc_size_exit; - smb2_get_data_area_len(&offset, &data_length, hdr); - ksmbd_debug(SMB, "SMB2 data length %d offset %d\n", data_length, + ret = smb2_get_data_area_len(&offset, &data_length, hdr); + if (ret) + return ret; + ksmbd_debug(SMB, "SMB2 data length %u offset %u\n", data_length, offset); if (data_length > 0) { @@ -237,16 +231,19 @@ static unsigned int smb2_calc_size(void *buf) * for some commands, typically those with odd StructureSize, * so we must add one to the calculation. */ - if (offset + 1 < len) + if (offset + 1 < *len) { ksmbd_debug(SMB, - "data area offset %d overlaps SMB2 header %d\n", - offset + 1, len); - else - len = offset + data_length; + "data area offset %d overlaps SMB2 header %u\n", + offset + 1, *len); + return -EINVAL; + } + + *len = offset + data_length; } + calc_size_exit: - ksmbd_debug(SMB, "SMB2 len %d\n", len); - return len; + ksmbd_debug(SMB, "SMB2 len %u\n", *len); + return 0; } static inline int smb2_query_info_req_len(struct smb2_query_info_req *h) @@ -391,9 +388,11 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } - clc_len = smb2_calc_size(hdr); + if (smb2_calc_size(hdr, &clc_len)) + return 1; + if (len != clc_len) { - /* server can return one byte more due to implied bcc[0] */ + /* client can return one byte more due to implied bcc[0] */ if (clc_len == len + 1) return 0; @@ -418,9 +417,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 0; } - if (command == SMB2_LOCK_HE && len == 88) - return 0; - ksmbd_debug(SMB, "cli req too short, len %d not %d. cmd:%d mid:%llu\n", len, clc_len, command, From patchwork Sat Oct 2 13:12:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532149 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 648A7C433F5 for ; Sat, 2 Oct 2021 13:12:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4DFDA619F6 for ; Sat, 2 Oct 2021 13:12:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231506AbhJBNOK (ORCPT ); Sat, 2 Oct 2021 09:14:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233182AbhJBNOJ (ORCPT ); Sat, 2 Oct 2021 09:14:09 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BB44C0613EC for ; Sat, 2 Oct 2021 06:12:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=JQAU88d/DWlvSzZYOK92vQiLSfTLScGZWUwTPm82qEU=; b=Lst3EksyyFGPyiSU1WbeppE+5R 6GYwUthmgHF5JhE4xtInT80LHx1Y2tZ7sn/BGY1zJA3hD6i92Eh3xcAJSVxoneU8Q+U5Jv1+pvCJa Tw/4E/Bp66LBGL1Kd712NnjIVUNDQjrdV5gjCZRziySfu3CGXc6X+ZarrNa5Ixi3tFQvcpSSW60se 0utyUl4IC5bIoP5L0qt6kywEWxMDjwQTWGbx1Y5cMxD/VpcynS36qMvovPHPY2IHCKY3d+Y3+KEUy 2BJDEMDSrPkl2Z9diJynqGZ+rCO7ZJ2XTIL78z0yUBfurPA2E+1GqACdyyGQLZ1Qv/12LpO7pbAwd MZQridp4kN2iwBo+VWWwe3wQeUE+BR1AU/FEuzlOUz/eJuTQxedcJxIXGHzMSixUfg1IAlAbDmBxE sEK//+BEIp9tpAESU58tyjJTVTBKsXztTeHM1Wb2AoHSZ52G+YMQNpgxkN0sDxudYH4GC3ZfnRJEp 8vUD7lm3LSK38hzWTCZ0KTmm; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoP-001DcY-L2; Sat, 02 Oct 2021 13:12:21 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Namjae Jeon , Tom Talpey , Ronnie Sahlberg , =?utf-8?q?Ralph_B=C3=B6hme?= , Steve French , Sergey Senozhatsky , Hyunchul Lee Subject: [PATCH v6 04/14] ksmbd: remove the leftover of smb2.0 dialect support Date: Sat, 2 Oct 2021 15:12:02 +0200 Message-Id: <20211002131212.130629-5-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org From: Namjae Jeon Although ksmbd doesn't send SMB2.0 support in supported dialect list of smb negotiate response, There is the leftover of smb2.0 dialect. This patch remove it not to support SMB2.0 in ksmbd. Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Ralph Böhme Cc: Steve French Cc: Sergey Senozhatsky Cc: Hyunchul Lee Signed-off-by: Namjae Jeon --- fs/ksmbd/smb2ops.c | 5 ----- fs/ksmbd/smb2pdu.c | 34 +++++++++------------------------- fs/ksmbd/smb2pdu.h | 1 - fs/ksmbd/smb_common.c | 6 +++--- 4 files changed, 12 insertions(+), 34 deletions(-) diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c index 197473871aa4..b06456eb587b 100644 --- a/fs/ksmbd/smb2ops.c +++ b/fs/ksmbd/smb2ops.c @@ -187,11 +187,6 @@ static struct smb_version_cmds smb2_0_server_cmds[NUMBER_OF_SMB2_COMMANDS] = { [SMB2_CHANGE_NOTIFY_HE] = { .proc = smb2_notify}, }; -int init_smb2_0_server(struct ksmbd_conn *conn) -{ - return -EOPNOTSUPP; -} - /** * init_smb2_1_server() - initialize a smb server connection with smb2.1 * command dispatcher diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 3476cacd2784..b06361313889 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -236,9 +236,6 @@ int init_smb2_neg_rsp(struct ksmbd_work *work) if (conn->need_neg == false) return -EINVAL; - if (!(conn->dialect >= SMB20_PROT_ID && - conn->dialect <= SMB311_PROT_ID)) - return -EINVAL; rsp_hdr = work->response_buf; @@ -1166,13 +1163,6 @@ int smb2_handle_negotiate(struct ksmbd_work *work) case SMB21_PROT_ID: init_smb2_1_server(conn); break; - case SMB20_PROT_ID: - rc = init_smb2_0_server(conn); - if (rc) { - rsp->hdr.Status = STATUS_NOT_SUPPORTED; - goto err_out; - } - break; case SMB2X_PROT_ID: case BAD_PROT_ID: default: @@ -1191,11 +1181,9 @@ int smb2_handle_negotiate(struct ksmbd_work *work) rsp->MaxReadSize = cpu_to_le32(conn->vals->max_read_size); rsp->MaxWriteSize = cpu_to_le32(conn->vals->max_write_size); - if (conn->dialect > SMB20_PROT_ID) { - memcpy(conn->ClientGUID, req->ClientGUID, - SMB2_CLIENT_GUID_SIZE); - conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); - } + memcpy(conn->ClientGUID, req->ClientGUID, + SMB2_CLIENT_GUID_SIZE); + conn->cli_sec_mode = le16_to_cpu(req->SecurityMode); rsp->StructureSize = cpu_to_le16(65); rsp->DialectRevision = cpu_to_le16(conn->dialect); @@ -1537,11 +1525,9 @@ static int ntlm_authenticate(struct ksmbd_work *work) } } - if (conn->dialect > SMB20_PROT_ID) { - if (!ksmbd_conn_lookup_dialect(conn)) { - pr_err("fail to verify the dialect\n"); - return -ENOENT; - } + if (!ksmbd_conn_lookup_dialect(conn)) { + pr_err("fail to verify the dialect\n"); + return -ENOENT; } return 0; } @@ -1623,11 +1609,9 @@ static int krb5_authenticate(struct ksmbd_work *work) } } - if (conn->dialect > SMB20_PROT_ID) { - if (!ksmbd_conn_lookup_dialect(conn)) { - pr_err("fail to verify the dialect\n"); - return -ENOENT; - } + if (!ksmbd_conn_lookup_dialect(conn)) { + pr_err("fail to verify the dialect\n"); + return -ENOENT; } return 0; } diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index 261825d06391..a6dec5ec6a54 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1637,7 +1637,6 @@ struct smb2_posix_info { } __packed; /* functions */ -int init_smb2_0_server(struct ksmbd_conn *conn); void init_smb2_1_server(struct ksmbd_conn *conn); void init_smb3_0_server(struct ksmbd_conn *conn); void init_smb3_02_server(struct ksmbd_conn *conn); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index b6c4c7e960fa..707490ab1f4c 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -88,7 +88,7 @@ unsigned int ksmbd_server_side_copy_max_total_size(void) inline int ksmbd_min_protocol(void) { - return SMB2_PROT; + return SMB21_PROT; } inline int ksmbd_max_protocol(void) @@ -427,7 +427,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, static int __smb2_negotiate(struct ksmbd_conn *conn) { - return (conn->dialect >= SMB20_PROT_ID && + return (conn->dialect >= SMB21_PROT_ID && conn->dialect <= SMB311_PROT_ID); } @@ -457,7 +457,7 @@ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command) } } - if (command == SMB2_NEGOTIATE_HE) { + if (command == SMB2_NEGOTIATE_HE && __smb2_negotiate(conn)) { ret = smb2_handle_negotiate(work); init_smb2_neg_rsp(work); return ret; From patchwork Sat Oct 2 13:12:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532169 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C728FC433F5 for ; Sat, 2 Oct 2021 13:25:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A69EA61B08 for ; Sat, 2 Oct 2021 13:25:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233182AbhJBN1F (ORCPT ); Sat, 2 Oct 2021 09:27:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1F (ORCPT ); Sat, 2 Oct 2021 09:27:05 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B791C0613EC for ; Sat, 2 Oct 2021 06:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=FbToP3cBCVM9Ma6brMXNh+tonQqcwo/eFaZFr4z6ESg=; b=hPAnmClK2iP+r5IFGl6oRC22cs IuL4jFr31UnqSakU7q/+ObRldBNkqdvv/kNhykcOLcAYoWdW8I6ih4q6O/FRqxtJMD/lxwSTZF2nd aKzcC6uSxPOOEV9k6kWJOzU2c2eliPF3u8aNdiTh8vgJzxfpOcsGV03sz/VrRtvbckcPmOTsiH5mC tiuzZgLgdCVuiOAmpimYWFLS9JK3csymShXdLr8y9/yUUIrSgAXkBiMAtKtyu4dCIbTDlMONOtDAX dkTDkVziEtf/kn+Zn13FfogLScplDVyQ6XfU9VAX+QH1/Wf5GCt3TH6QrxE5PmJbJ4bGoMLnp1eTy vCR3A+nXC8eyV2rZGkdF1uEnbQC1sNXvazvUwKIw2ttN0xo/CHJzLaREKqP9dWtGhCOQUe7XIcCz4 In831AlXruLHx1EbHRDoiTyJDy79C/R4yLtM1QZppst9gLueJzH2vpNL+IR4p491jSD/6DOMr2Nuv k77Esj/7037bX6lp+nK7T9Ea; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoQ-001DcY-1o; Sat, 02 Oct 2021 13:12:22 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme Subject: [PATCH v6 05/14] ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() Date: Sat, 2 Oct 2021 15:12:03 +0200 Message-Id: <20211002131212.130629-6-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Signed-off-by: Ralph Boehme --- fs/ksmbd/smb_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index 707490ab1f4c..e1e5a071678e 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -132,7 +132,7 @@ int ksmbd_lookup_protocol_idx(char *str) */ int ksmbd_verify_smb_message(struct ksmbd_work *work) { - struct smb2_hdr *smb2_hdr = work->request_buf + work->next_smb2_rcv_hdr_off; + struct smb2_hdr *smb2_hdr = ksmbd_req_buf_next(work); struct smb_hdr *hdr; if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) From patchwork Sat Oct 2 13:12:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532175 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D3E2C433EF for ; Sat, 2 Oct 2021 13:25:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 408C061B08 for ; Sat, 2 Oct 2021 13:25:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233216AbhJBN1P (ORCPT ); Sat, 2 Oct 2021 09:27:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1O (ORCPT ); Sat, 2 Oct 2021 09:27:14 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCB38C0613EC for ; Sat, 2 Oct 2021 06:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=MWRvV/IrF2/E/YfGChZyT9gyo6eF7R7G2D3V+iQHpQk=; b=jPzM3VlWBi1Zvkwvg4ToaEHMaq W8idi9PGGlUkuYHQJLADHE+GX5HX/BQTrAMHzyMWuk0xfyW/I+DIs6lWOYD0oS6YGtaBy/f7L9wBf p/E8JNWsuCOiMrNLD77awTzvPoUiHS4DstjS83G4Ok+c3ZAalsDRXoRtlfMLASaiCznEaWcGnpnfd naaWVhwP95bld5pzYbjeYxFc10+9o2GRlwZbHcjwRVch0rgfUVaRIztNDo9G8f/6B4Xs1sTnFTO32 DIEywmpwkgaaWXJxfGRL1TseR5ta58DeNwIast3MhzCdHKRcdzulOjZhkuBy1jIkUfg9yUQ9JJT2A kczN1rIsbZCZ2yMaPK4wNIbQLbMNO8WBuPwepZs7mbWnYhmJ7t8fqASvYqMRpcTA1zI6SysiFwTNW ESVTqvBp8olsFI1yo6qyiVu3BiSM858Rj7YnquFwrzKYKqbedt9EvbXIYdVP3c3RoWmgPG5jTMc/N Lyh1XViqtwiO6AvCSJjpF817; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoQ-001DcY-DC; Sat, 02 Oct 2021 13:12:22 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme Subject: [PATCH v6 06/14] ksmbd: check buffer is big enough to access the ProtocolId field Date: Sat, 2 Oct 2021 15:12:04 +0200 Message-Id: <20211002131212.130629-7-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 25 +++++++++++++++++++++++++ fs/ksmbd/smb2pdu.h | 1 + fs/ksmbd/smb_common.c | 8 ++++++++ 3 files changed, 34 insertions(+) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 9edd9c161b27..c1f0f10ca9f9 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -432,3 +432,28 @@ int smb2_negotiate_request(struct ksmbd_work *work) { return ksmbd_smb_negotiate_common(work, SMB2_NEGOTIATE_HE); } + +/** + * ksmbd_smb2_cur_pdu_buflen() - Get len of current SMB2 PDU buffer + * This returns the lenght including any possible padding. + * @work: smb work containing request buffer + */ +unsigned int ksmbd_smb2_cur_pdu_buflen(struct ksmbd_work *work) +{ + struct smb2_hdr *hdr = ksmbd_req_buf_next(work); + unsigned int buf_len; + unsigned int pdu_len; + + if (hdr->NextCommand != 0) { + /* + * hdr->NextCommand has already been validated by + * init_chained_smb2_rsp(). + */ + return __le32_to_cpu(hdr->NextCommand); + } + + buf_len = get_rfc1002_len(work->request_buf); + pdu_len = buf_len - work->next_smb2_rcv_hdr_off; + return pdu_len; +} + diff --git a/fs/ksmbd/smb2pdu.h b/fs/ksmbd/smb2pdu.h index a6dec5ec6a54..c5fa8256b0bb 100644 --- a/fs/ksmbd/smb2pdu.h +++ b/fs/ksmbd/smb2pdu.h @@ -1680,6 +1680,7 @@ int smb2_set_rsp_credits(struct ksmbd_work *work); /* smb2 misc functions */ int ksmbd_smb2_check_message(struct ksmbd_work *work); +unsigned int ksmbd_smb2_cur_pdu_buflen(struct ksmbd_work *work); /* smb2 command handlers */ int smb2_handle_negotiate(struct ksmbd_work *work); diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c index e1e5a071678e..0dc70ed2a5be 100644 --- a/fs/ksmbd/smb_common.c +++ b/fs/ksmbd/smb_common.c @@ -133,8 +133,16 @@ int ksmbd_lookup_protocol_idx(char *str) int ksmbd_verify_smb_message(struct ksmbd_work *work) { struct smb2_hdr *smb2_hdr = ksmbd_req_buf_next(work); + unsigned int buflen = ksmbd_smb2_cur_pdu_buflen(work); struct smb_hdr *hdr; + /* + * ksmbd_smb2_check_message() will verify all SMB2 PDU buffer sizes, + * here we just check we can access the ProtocolId field in the header. + */ + if (buflen < sizeof(smb2_hdr->ProtocolId)) + return -EINVAL; + if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER) return ksmbd_smb2_check_message(work); From patchwork Sat Oct 2 13:12:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AA5AC433F5 for ; Sat, 2 Oct 2021 13:25:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3201561B08 for ; Sat, 2 Oct 2021 13:25:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233260AbhJBN1X (ORCPT ); Sat, 2 Oct 2021 09:27:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51298 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1W (ORCPT ); Sat, 2 Oct 2021 09:27:22 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08014C0613EC for ; Sat, 2 Oct 2021 06:25:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=YSNmPZU1olsydMKBGwCxmXeXz0b6Cx9UA3ZYFroFOGw=; b=RDc1vCnjbHQnxq/T/MV1hflsY2 tBlgGyW5MCMYvv7u8Vdezm0bopfml6bu2kUo5f/ecpxH0yYsv5BGwxcz6g8w3Pm4UNmRSBQqi1OAw mbkE5uS063q5L1VR5RkFavsBtYfQ7zphUKNwbz+yZfFg1sfHGMWI+pxK6jo5vPop4zNFumaYPsZ+l YzJL9vOEkpOKNU8cS3/wB4hrL4j+1WCCr5bQ3TXP1HTJlFYL8vchbdwhFquxoMr0caRvkmHT4F72T peNUOcV/i74nSSisado39rXdWS59MMeex1CCQXZwLPXWAs/3Oxis+SDa028kMwm+Tp7C+ocT1d7fb OnwNDApcBBuCjR5N+LRpzZWNY7VaoXLKOM2uS69VaWQZeipqxnCaNPo+NPb7d89J9dfrdSmLo5DYf l1XA2yNiqcWoheIBlfP+dPAjAIpSQK6oxrK5avSWVqopTkiLTN9DmuHV/pjXNVm7qFJZi8QLlQBoC MFjID00aGHU4KFMiuVKH+pgF; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoQ-001DcY-VF; Sat, 02 Oct 2021 13:12:23 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 07/14] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Date: Sat, 2 Oct 2021 15:12:05 +0200 Message-Id: <20211002131212.130629-8-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index c1f0f10ca9f9..76f53db7db8d 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -329,17 +329,12 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) int ksmbd_smb2_check_message(struct ksmbd_work *work) { - struct smb2_pdu *pdu = work->request_buf; + struct smb2_pdu *pdu = ksmbd_req_buf_next(work); struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ __u32 len = get_rfc1002_len(pdu); - if (work->next_smb2_rcv_hdr_off) { - pdu = ksmbd_req_buf_next(work); - hdr = &pdu->hdr; - } - if (le32_to_cpu(hdr->NextCommand) > 0) { len = le32_to_cpu(hdr->NextCommand); } else if (work->next_smb2_rcv_hdr_off) { From patchwork Sat Oct 2 13:12:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532177 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61529C433F5 for ; Sat, 2 Oct 2021 13:25:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4B85061AF7 for ; Sat, 2 Oct 2021 13:25:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233254AbhJBN1R (ORCPT ); Sat, 2 Oct 2021 09:27:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1Q (ORCPT ); Sat, 2 Oct 2021 09:27:16 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0AB77C0613EC for ; Sat, 2 Oct 2021 06:25:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=YnmZ4rBj6/U25JQdxacF0yp+BjlyrxXq7IN5+KtPqds=; b=mZi2Q8x4DDgyyuZ8eaWQxNEqbp 6ka2v90Gh/Qjhl8vUQpT/OSUs/68wh9dAkp9BoD05l4tZjJlfQxq+WECFuocqFiNgcp/vm1rXTd45 rP9GhsCii8tyPQSFGvg+2mOFKP3fo2Efk9CiXHHPxoQHbv4Kok4NFCNjrNHf7JUqL4H0iWngqFvJw fxZiYo/Wol+PxjsLZjkLk78GGv9to/WAi6WFnHn4aBNOhFnMSup+d9OUh9OBGmMAGHtutBSwPe6Jp +l2Ogg7ws92hJTnS9wgf9TgohZ6ueVOba4SUjAY0C6P1LgL1D/g3hwou1N4Ms5xRNETxRfI15M2gC GrJ3KJkQAHzUNPXsSz2HbEv70F12r6jQ+tUwr+UfwavcN3DifqPmuJQ2S3SIhZXAyCOhNVJBho4nH tWJqPFlyI5qoERt2uixAAHgHFB6dI6Xm/+d9IvQdfzuw9tH906ImQejpzCvAFe7MIdjUOfhswHnmy OsinaUKf/B02S58QtKnT+gSY; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoR-001DcY-HS; Sat, 02 Oct 2021 13:12:23 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 08/14] ksmbd: use ksmbd_smb2_cur_pdu_buflen() in ksmbd_smb2_check_message() Date: Sat, 2 Oct 2021 15:12:06 +0200 Message-Id: <20211002131212.130629-9-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 76f53db7db8d..7ed266eb6c5e 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -333,14 +333,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) struct smb2_hdr *hdr = &pdu->hdr; int command; __u32 clc_len; /* calculated length */ - __u32 len = get_rfc1002_len(pdu); - - if (le32_to_cpu(hdr->NextCommand) > 0) { - len = le32_to_cpu(hdr->NextCommand); - } else if (work->next_smb2_rcv_hdr_off) { - len -= work->next_smb2_rcv_hdr_off; - len = round_up(len, 8); - } + __u32 len = ksmbd_smb2_cur_pdu_buflen(work); if (check_smb2_hdr(hdr)) return 1; @@ -395,7 +388,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) * Some windows servers (win2016) will pad also the final * PDU in a compound to 8 bytes. */ - if (ALIGN(clc_len, 8) == len) + if (ALIGN(clc_len, 8) == ALIGN(len, 8)) return 0; /* From patchwork Sat Oct 2 13:12:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532173 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB1BFC433F5 for ; Sat, 2 Oct 2021 13:25:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AFD2661B08 for ; Sat, 2 Oct 2021 13:25:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233109AbhJBN1M (ORCPT ); Sat, 2 Oct 2021 09:27:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1M (ORCPT ); Sat, 2 Oct 2021 09:27:12 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94B3DC0613EC for ; Sat, 2 Oct 2021 06:25:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=gcOkDaciJ1NsJos0u7ZxZoxHkGE3C4YqugB+34yYavo=; b=FwMviH4ZgqK+hrX6jBGJHYDrHz WRWC7u9oP0cWvYjkr4D/Q5trMY0hkBfCDH00EinbSvjhsGZLrYjDP/vlaptj0HSGqDmm/g3qdMav2 YkVK6VdsWOvouXDACUx8UjQqeXhOM/uhH058LmhPpb5c7m3be+VMFyh8fEzUatjVplepAO0Z2T/j+ dAeBbiPcdbt8XKT+RvYMNLA/hUlRpkkxyQm2cUXYnbQnx02p0urJHBJT/WDopPmk7ijgOvY33outK bNpHaE2GHTL2C4UoJBwue/aY0w+CPS3iwOFWvgApdUJdU8TnNpouc32Beo/EA6YWo5GURkecv7+o4 6RQcTfS5fGSvH2cCqRGDILST3TSne1wTgHBD1a/SAuoKNXKBWb/9iV1Kw99UogD3TU/QyxlfXS+Uc kI7XB3+24z1ImGJCLxuN0kbwDr6p/HDUttjzL/d7mFVu64/p9DjHpTHDzqEYM7RRP865TR3OTgCSQ Jc5FdRJOs8EF4DY+hEZTEmE+; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoS-001DcY-3q; Sat, 02 Oct 2021 13:12:24 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 09/14] ksmbd: check PDU len is at least header plus body size in ksmbd_smb2_check_message() Date: Sat, 2 Oct 2021 15:12:07 +0200 Message-Id: <20211002131212.130629-10-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Note: we already have the same check in is_chained_smb2_message(), but there it only applies to compound requests, so we have to repeat the check here to cover both cases. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 7ed266eb6c5e..541b39b7a84b 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -338,6 +338,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) if (check_smb2_hdr(hdr)) return 1; + if (len < sizeof(struct smb2_pdu) - 4) + return 1; + if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { ksmbd_debug(SMB, "Illegal structure size %u\n", le16_to_cpu(hdr->StructureSize)); From patchwork Sat Oct 2 13:12:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532179 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95621C433EF for ; Sat, 2 Oct 2021 13:25:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7601161AF7 for ; Sat, 2 Oct 2021 13:25:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233230AbhJBN1T (ORCPT ); Sat, 2 Oct 2021 09:27:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51288 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1T (ORCPT ); Sat, 2 Oct 2021 09:27:19 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53C74C0613EC for ; Sat, 2 Oct 2021 06:25:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=ImcoTzW6T/0ToK3dGY1uZiG8CTNii1vrIM1lJjydl40=; b=VwU4oakccOoZE7LGDznSAaewEG kmdThQHJ9jnWEW95LOrjmlDIE5ni7VyqGR6knMsuAjIejvVLwDi+tzOvPXo3hOQLcfCz029lgbkwD Az/wW05g0zZQBfRHP7Z85L+TQphoHeuONACir1R1GAYIc19rfsIgYYodDyuM0o7D5veNydDq+d4xU +uiEywVmf32gnxZpXzAvC4Ct6+VhC5WuqdHLxIVgvOqf8vvlbw1ByKKtJWYHnk2RASqUgWos2rqsm 7RGLfpuFaI533df2QyMIOdx7wfov6mlUs7+2djHhxokbZKxFtfLeShZdgUoJaecbG4yVT3RINSX6x zBeCl0inYAIKjR4NVdMKCSCHk4X87vA9HLcu3H1WxLayQRaas2mDJYZ9Isgkr9UZ1D44h2Re/Ejvu eEy8svQY9N69NezV5z4MAoo9+Lj/ak7oE5Pr1RaVZWOv+2jYaOy5ADG6fEmvFK8CCyztpmcAjt225 l19uIsfjFjy4eukqxaDMJ1ZG; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoS-001DcY-Lq; Sat, 02 Oct 2021 13:12:24 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 10/14] ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() Date: Sat, 2 Oct 2021 15:12:08 +0200 Message-Id: <20211002131212.130629-11-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org No change in behaviour. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2pdu.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index b06361313889..7d3344b5519c 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -94,12 +94,13 @@ struct channel *lookup_chann_list(struct ksmbd_session *sess, struct ksmbd_conn int smb2_get_ksmbd_tcon(struct ksmbd_work *work) { struct smb2_hdr *req_hdr = work->request_buf; + unsigned int cmd = le16_to_cpu(req_hdr->Command); int tree_id; work->tcon = NULL; - if (work->conn->ops->get_cmd_val(work) == SMB2_TREE_CONNECT_HE || - work->conn->ops->get_cmd_val(work) == SMB2_CANCEL_HE || - work->conn->ops->get_cmd_val(work) == SMB2_LOGOFF_HE) { + if (cmd == SMB2_TREE_CONNECT_HE || + cmd == SMB2_CANCEL_HE || + cmd == SMB2_LOGOFF_HE) { ksmbd_debug(SMB, "skip to check tree connect request\n"); return 0; } From patchwork Sat Oct 2 13:12:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532163 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E7DBC433F5 for ; Sat, 2 Oct 2021 13:25:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 679D361B08 for ; Sat, 2 Oct 2021 13:25:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232981AbhJBN06 (ORCPT ); Sat, 2 Oct 2021 09:26:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN05 (ORCPT ); Sat, 2 Oct 2021 09:26:57 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD29AC0613EC for ; Sat, 2 Oct 2021 06:25:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=QpGs2DgXxGuTIpK2NWlT87Xsetv+cUnKN0xFbJPFDYU=; b=JYclVPCfweytXgpzL0PMnTYD8Q PkRq1jYWOjjgCCI3KW5p7h1jSwzl8T14rqvRDlvRlfFuAbYNPPiRkZQukF7X4OZ84tlplWE9HZf8W F0WiYl0zwmVlpmIskfyx950mVahJ37gGBp2caUO0rAmIX7M1+NY/U2WM6TcvDdukflGpbP2/ZPiiL CnTiO0lgwzY0fse4fMqIvK5VoHXJU7Yjtw4EpdODtbE2u7oq8I2oDT9qpq8OR2oGNSm+rXqg55aRg WeycTNAR4eFnuz8hHXutHt3Zl4TgbAB89L+7BS9plG6/i4wIc/8j6jOdqlnHVuaLK3+FIpGhOXhJa xHxmbxnK+LJfSOb5viCo4+egw+LOMvkD8+OzkBF7ZleV21b4sXhBaW0QNr2anG8H+fZNMSxT+NC5Z eIwPjb8FdT1M7U6m/e37zKTlahNP2W+FuWRW9tfRWmNxUABx0C1mejOgwtfDf0Z8kAfv+85XooFcO metNzMzGjCgz5xHCijut/TCS; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoT-001DcY-B2; Sat, 02 Oct 2021 13:12:25 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 11/14] ksmdb: make smb2_get_ksmbd_tcon() callable with chained PDUs Date: Sat, 2 Oct 2021 15:12:09 +0200 Message-Id: <20211002131212.130629-12-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Also track the tcon id of compound requests. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/ksmbd_work.h | 1 + fs/ksmbd/smb2pdu.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/fs/ksmbd/ksmbd_work.h b/fs/ksmbd/ksmbd_work.h index f7156bc50049..91363d508909 100644 --- a/fs/ksmbd/ksmbd_work.h +++ b/fs/ksmbd/ksmbd_work.h @@ -46,6 +46,7 @@ struct ksmbd_work { u64 compound_fid; u64 compound_pfid; u64 compound_sid; + u32 compound_tid; const struct cred *saved_cred; diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 7d3344b5519c..8cbce9a9c2e0 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -97,7 +97,6 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) unsigned int cmd = le16_to_cpu(req_hdr->Command); int tree_id; - work->tcon = NULL; if (cmd == SMB2_TREE_CONNECT_HE || cmd == SMB2_CANCEL_HE || cmd == SMB2_LOGOFF_HE) { @@ -110,13 +109,26 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) return -ENOENT; } + if (req_hdr->Flags & SMB2_FLAGS_RELATED_OPERATIONS) { + if (!work->tcon) { + pr_err("Missing tcon\n"); + return -EINVAL; + } + return 1; + } + + work->tcon = NULL; + work->compound_tid = 0; + tree_id = le32_to_cpu(req_hdr->Id.SyncId.TreeId); + work->tcon = ksmbd_tree_conn_lookup(work->sess, tree_id); if (!work->tcon) { pr_err("Invalid tid %d\n", tree_id); return -EINVAL; } + work->compound_tid = tree_id; return 1; } From patchwork Sat Oct 2 13:12:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532185 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B21EC433F5 for ; Sat, 2 Oct 2021 13:25:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 663B761AF7 for ; Sat, 2 Oct 2021 13:25:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233265AbhJBN11 (ORCPT ); Sat, 2 Oct 2021 09:27:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN11 (ORCPT ); Sat, 2 Oct 2021 09:27:27 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A6BFC0613EC for ; Sat, 2 Oct 2021 06:25:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=TK9qiT27d4foHLgTPiXRQKYqkNOpAHE0UzhEoKCwx40=; b=IHkQ/V0HMF6I9Qmmx+07ysI+tK GBxTg7hYKfvx+jSJYZTpxWBR8TO5T1mx+VzRbmpKmmDoxRan83tTVOkgDsHjevn3LEozkoxffhJde ofJeCbsCnhRcNEr6C/4ce2Zdvs/RvGVfa+dwnwQZV2zXAXAJbRf5az9kBDsXIGrvsfLZyMOCItt6D Pzb3cYQb9pV+j0sG1Towv/V1M/+bcIVlBo9hxOwBHYA7Q9js2WJbq0RbyeyKISSXLxybbRHtU7gPj 3/MShzg1t74OEoFYg9mFAuKfItjiRtNlV/V6qUrI5bJdV9DlTe4LIXvG0sT3Z/1jJMauJlpXi0ZI6 FEeppVGg3O9AnQFEcvJsCV9kSdSRZP2dRXnf915MRjJqN/spiQT/NiSEDQX6wKNBIIxGdLRgEffES nmRhP0A+XZBQJmAh21uEp0g1FxefrWpnyYv1rg4wNR/jqeL38Up+17MSsvWoOuxZesLhbisJa2HD3 kbQQM87QREQQpGWXt6PRIHkE; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoT-001DcY-V1; Sat, 02 Oct 2021 13:12:26 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 12/14] ksmbd: make smb2_check_user_session() callable for compound PDUs Date: Sat, 2 Oct 2021 15:12:10 +0200 Message-Id: <20211002131212.130629-13-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2pdu.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 8cbce9a9c2e0..2f71905503b5 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -416,7 +416,6 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work) work->compound_pfid = le64_to_cpu(((struct smb2_create_rsp *)rsp)-> PersistentFileId); - work->compound_sid = le64_to_cpu(rsp->SessionId); } len = get_rfc1002_len(work->response_buf) - work->next_smb2_rsp_hdr_off; @@ -596,7 +595,6 @@ int smb2_check_user_session(struct ksmbd_work *work) unsigned int cmd = conn->ops->get_cmd_val(work); unsigned long long sess_id; - work->sess = NULL; /* * SMB2_ECHO, SMB2_NEGOTIATE, SMB2_SESSION_SETUP command do not * require a session id, so no need to validate user session's for @@ -609,11 +607,25 @@ int smb2_check_user_session(struct ksmbd_work *work) if (!ksmbd_conn_good(work)) return -EINVAL; + if (req_hdr->Flags & SMB2_FLAGS_RELATED_OPERATIONS) { + if (work->sess) { + pr_err("Missing session\n"); + return -EINVAL; + } + return 1; + } + + work->sess = NULL; + work->compound_sid = 0; + sess_id = le64_to_cpu(req_hdr->SessionId); + /* Check for validity of user session */ work->sess = ksmbd_session_lookup_all(conn, sess_id); - if (work->sess) + if (work->sess) { + work->compound_sid = sess_id; return 1; + } ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); return -EINVAL; } From patchwork Sat Oct 2 13:12:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532171 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93F48C433F5 for ; Sat, 2 Oct 2021 13:25:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 781EC61AF7 for ; Sat, 2 Oct 2021 13:25:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233184AbhJBN1K (ORCPT ); Sat, 2 Oct 2021 09:27:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1J (ORCPT ); Sat, 2 Oct 2021 09:27:09 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C229EC0613EC for ; Sat, 2 Oct 2021 06:25:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=Umiz6jNkxJhh7bHGki0vDMexgYdOtVbyRz8bFzWT1jc=; b=Lk0VTeAgSFWPWMHbUAzTrDEHa4 beP/7+UqMXiQf6Tkmeqy5AtkJtCMc1dRJp1zjyrsaxzxmEPR7MuNY9vHnSs9jlrVzDhpq+2DpezV3 Up/1PXS/qlvAitXSsWyBOVggexodOLW0VVWeGE2/stbYmFPJAMjEDupAmGjOgLihcfkVY2LiKXzGV BqKWqq6WWq6gTGanbL4WylPG6+I9GXLQv4D8PjuKSn+cMV8vva85+/u8ATfMSOt7eqM4HDncmf+g3 tSsraY2NaaW6/QFlLABfonyyEQsFDYIQkULWSqV/UjvAK290o04YR64eGmCda7p3o3GoeQoBawO28 hnz0acNRAESjyrfotaEEEuV57cp7E6TKryoAiwfphkHnnzRxcb40MZImekQYnIu5k58Au2U1S5D0k duXYA+BEWH50ZRrXD+BxIXiKharIUBVWN5i7dsXz6NYUjkywgv04+N6gbkzpQnqHc4yA3i04mdB8W 7y4rjL5B1JK1zkVfjDPBnRft; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoU-001DcY-Ie; Sat, 02 Oct 2021 13:12:26 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme , Namjae Jeon , Tom Talpey , Ronnie Sahlberg , Steve French , Hyunchul Lee Subject: [PATCH v6 13/14] ksmdb: move session and tcon validation to ksmbd_smb2_check_message() Date: Sat, 2 Oct 2021 15:12:11 +0200 Message-Id: <20211002131212.130629-14-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org For compound non-related operations session id and tree id must be taken from earch PDU. Cc: Namjae Jeon Cc: Tom Talpey Cc: Ronnie Sahlberg Cc: Steve French Cc: Hyunchul Lee Signed-off-by: Ralph Boehme --- fs/ksmbd/server.c | 46 +++++++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c index 2a2b2135bfde..5d1ef277653f 100644 --- a/fs/ksmbd/server.c +++ b/fs/ksmbd/server.c @@ -101,6 +101,32 @@ static inline int check_conn_state(struct ksmbd_work *work) return 0; } +static int check_session_and_tcon(struct ksmbd_work *work) +{ + int rc; + + if (work->conn->ops->check_user_session == NULL) + return 0; + + rc = work->conn->ops->check_user_session(work); + if (rc < 0) { + work->conn->ops->set_rsp_status(work, + STATUS_USER_SESSION_DELETED); + return 1; + } + if (rc == 0) + return 0; + + rc = work->conn->ops->get_ksmbd_tcon(work); + if (rc < 0) { + work->conn->ops->set_rsp_status(work, + STATUS_NETWORK_NAME_DELETED); + return 1; + } + + return 0; +} + #define SERVER_HANDLER_CONTINUE 0 #define SERVER_HANDLER_ABORT 1 @@ -117,6 +143,9 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn, if (ksmbd_verify_smb_message(work)) return SERVER_HANDLER_ABORT; + if (check_session_and_tcon(work)) + return SERVER_HANDLER_ABORT; + command = conn->ops->get_cmd_val(work); *cmd = command; @@ -184,23 +213,6 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, goto send; } - if (conn->ops->check_user_session) { - rc = conn->ops->check_user_session(work); - if (rc < 0) { - command = conn->ops->get_cmd_val(work); - conn->ops->set_rsp_status(work, - STATUS_USER_SESSION_DELETED); - goto send; - } else if (rc > 0) { - rc = conn->ops->get_ksmbd_tcon(work); - if (rc < 0) { - conn->ops->set_rsp_status(work, - STATUS_NETWORK_NAME_DELETED); - goto send; - } - } - } - do { rc = __process_request(work, conn, &command); if (rc == SERVER_HANDLER_ABORT) From patchwork Sat Oct 2 13:12:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Boehme X-Patchwork-Id: 12532187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F99CC433EF for ; Sat, 2 Oct 2021 13:25:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EC8C861B08 for ; Sat, 2 Oct 2021 13:25:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233285AbhJBN1b (ORCPT ); Sat, 2 Oct 2021 09:27:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbhJBN1a (ORCPT ); Sat, 2 Oct 2021 09:27:30 -0400 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 970A6C0613EC for ; Sat, 2 Oct 2021 06:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=uDE1hT2AYr4GnzXWR53eORG83zzTctwt6f2au/8awBI=; b=QCk31XxwfLkL8P5F15D3gOOYLg vWm8icf/0flnF+BWtmMGgLoVH20vHarztqfkLeiljw80yMi0K3H1Wu7xwgTf91jfERdmDZuiad51i Fy7iQ9+NN3DfpKt+p4waF0qSFh6foyqaNsAXWDOwc0gd/EtBv6vr1zBETivl6yZXUCnXK1aHiJihC +pxVX0F07ucC46iH8xHqSGLPoDwNOPaFA7TfFK7RcSloC7n/QcAWEk/03+MU3db7jIV5Pfsd4AubO YUi+ov5ZIDQohU+k8oSi2gQreYItmt7aCnsNiygnPtYBf0KnqQX2HziCTqy/t8wXdUer4wzlGe/1F Z9s01CM7IvPKfN+lg860ved2FvrWTzHKxnaG27AR64hrVzwhiyEVsTBK7CO7IZhOE1M1GPS6XLDRk Jrfp24e8nTvZiNrN9Ucynt7DiuQqcv1O/oDIZdJwvay8/xHnw2/PGkZ1UfTP3Yy9yWrGnfrXgU80W cgqcLC5DG8NjM4gXDgnV3rlK; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mWeoV-001DcY-2U; Sat, 02 Oct 2021 13:12:27 +0000 From: Ralph Boehme To: linux-cifs@vger.kernel.org Cc: Ralph Boehme Subject: [PATCH v6 14/14] ksmdb: validate credit charge after validating SMB2 PDU body size Date: Sat, 2 Oct 2021 15:12:12 +0200 Message-Id: <20211002131212.130629-15-slow@samba.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211002131212.130629-1-slow@samba.org> References: <20211002131212.130629-1-slow@samba.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org smb2_validate_credit_charge() accesses fields in the SMB2 PDU body, but until smb2_calc_size() is called the PDU has not yet been verified to be large enough to access the PDU dynamic part length field. Signed-off-by: Ralph Boehme --- fs/ksmbd/smb2misc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 541b39b7a84b..6e6d64b796c9 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -373,12 +373,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } } - if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && - smb2_validate_credit_charge(hdr)) { - work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); - return 1; - } - if (smb2_calc_size(hdr, &clc_len)) return 1; @@ -416,6 +410,12 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && + smb2_validate_credit_charge(hdr)) { + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return 1; + } + return 0; }