ksmbd: fix invalid request buffer access in compound
Ronnie reported invalid request buffer access in chained command when inserting garbage value to NextCommand of compound request. This patch add validation check to avoid this issue. Cc: Tom Talpey <tom@talpey.com> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Ralph Böhme <slow@samba.org> Tested-by: Steve French <smfrench@gmail.com> Reviewed-by: Steve French <smfrench@gmail.com> Acked-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
18d46769d5
commit
d72a9c1588
@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
|
||||
bool is_chained_smb2_message(struct ksmbd_work *work)
|
||||
{
|
||||
struct smb2_hdr *hdr = work->request_buf;
|
||||
unsigned int len;
|
||||
unsigned int len, next_cmd;
|
||||
|
||||
if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
|
||||
return false;
|
||||
|
||||
hdr = ksmbd_req_buf_next(work);
|
||||
if (le32_to_cpu(hdr->NextCommand) > 0) {
|
||||
next_cmd = le32_to_cpu(hdr->NextCommand);
|
||||
if (next_cmd > 0) {
|
||||
if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +
|
||||
__SMB2_HEADER_STRUCTURE_SIZE >
|
||||
get_rfc1002_len(work->request_buf)) {
|
||||
pr_err("next command(%u) offset exceeds smb msg size\n",
|
||||
next_cmd);
|
||||
return false;
|
||||
}
|
||||
|
||||
ksmbd_debug(SMB, "got SMB2 chained command\n");
|
||||
init_chained_smb2_rsp(work);
|
||||
return true;
|
||||
|
Loading…
Reference in New Issue
Block a user