ksmbd: validate length in smb2_write()
The SMB2 Write packet contains data that is to be written to a file or to a pipe. Depending on the client, there may be padding between the header and the data field. Currently, the length is validated only in the case padding is present. Since the DataOffset field always points to the beginning of the data, there is no need to have a special case for padding. By removing this, the length is validated in both cases. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
d21a580daf
commit
158a66b245
@ -6328,23 +6328,18 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work)
|
|||||||
length = le32_to_cpu(req->Length);
|
length = le32_to_cpu(req->Length);
|
||||||
id = req->VolatileFileId;
|
id = req->VolatileFileId;
|
||||||
|
|
||||||
if (le16_to_cpu(req->DataOffset) ==
|
if ((u64)le16_to_cpu(req->DataOffset) + length >
|
||||||
offsetof(struct smb2_write_req, Buffer)) {
|
get_rfc1002_len(work->request_buf)) {
|
||||||
data_buf = (char *)&req->Buffer[0];
|
pr_err("invalid write data offset %u, smb_len %u\n",
|
||||||
} else {
|
le16_to_cpu(req->DataOffset),
|
||||||
if ((u64)le16_to_cpu(req->DataOffset) + length >
|
get_rfc1002_len(work->request_buf));
|
||||||
get_rfc1002_len(work->request_buf)) {
|
err = -EINVAL;
|
||||||
pr_err("invalid write data offset %u, smb_len %u\n",
|
goto out;
|
||||||
le16_to_cpu(req->DataOffset),
|
|
||||||
get_rfc1002_len(work->request_buf));
|
|
||||||
err = -EINVAL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
|
|
||||||
le16_to_cpu(req->DataOffset));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
|
||||||
|
le16_to_cpu(req->DataOffset));
|
||||||
|
|
||||||
rpc_resp = ksmbd_rpc_write(work->sess, id, data_buf, length);
|
rpc_resp = ksmbd_rpc_write(work->sess, id, data_buf, length);
|
||||||
if (rpc_resp) {
|
if (rpc_resp) {
|
||||||
if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) {
|
if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) {
|
||||||
@ -6489,22 +6484,16 @@ int smb2_write(struct ksmbd_work *work)
|
|||||||
|
|
||||||
if (req->Channel != SMB2_CHANNEL_RDMA_V1 &&
|
if (req->Channel != SMB2_CHANNEL_RDMA_V1 &&
|
||||||
req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) {
|
req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) {
|
||||||
if (le16_to_cpu(req->DataOffset) ==
|
if ((u64)le16_to_cpu(req->DataOffset) + length >
|
||||||
offsetof(struct smb2_write_req, Buffer)) {
|
get_rfc1002_len(work->request_buf)) {
|
||||||
data_buf = (char *)&req->Buffer[0];
|
pr_err("invalid write data offset %u, smb_len %u\n",
|
||||||
} else {
|
le16_to_cpu(req->DataOffset),
|
||||||
if ((u64)le16_to_cpu(req->DataOffset) + length >
|
get_rfc1002_len(work->request_buf));
|
||||||
get_rfc1002_len(work->request_buf)) {
|
err = -EINVAL;
|
||||||
pr_err("invalid write data offset %u, smb_len %u\n",
|
goto out;
|
||||||
le16_to_cpu(req->DataOffset),
|
|
||||||
get_rfc1002_len(work->request_buf));
|
|
||||||
err = -EINVAL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
|
|
||||||
le16_to_cpu(req->DataOffset));
|
|
||||||
}
|
}
|
||||||
|
data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
|
||||||
|
le16_to_cpu(req->DataOffset));
|
||||||
|
|
||||||
ksmbd_debug(SMB, "flags %u\n", le32_to_cpu(req->Flags));
|
ksmbd_debug(SMB, "flags %u\n", le32_to_cpu(req->Flags));
|
||||||
if (le32_to_cpu(req->Flags) & SMB2_WRITEFLAG_WRITE_THROUGH)
|
if (le32_to_cpu(req->Flags) & SMB2_WRITEFLAG_WRITE_THROUGH)
|
||||||
|
Loading…
Reference in New Issue
Block a user