824d4f64c2
if Status is not 0 and PathLength is long,
smb_strndup_from_utf16 could make out of bound
read in smb2_tree_connnect.
This bug can lead an oops looking something like:
[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805
...
[ 1553.882095] Call Trace:
[ 1553.882098] <TASK>
[ 1553.882101] dump_stack_lvl+0x49/0x5f
[ 1553.882107] print_report.cold+0x5e/0x5cf
[ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882122] kasan_report+0xaa/0x120
[ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882139] __asan_report_load_n_noabort+0xf/0x20
[ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
[ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd]
[ 1553.882166] ? __kmalloc_node+0x185/0x430
[ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd]
[ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
[ 1553.882197] process_one_work+0x778/0x11c0
[ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0
[ 1553.882206] worker_thread+0x544/0x1180
[ 1553.882209] ? __cpuidle_text_end+0x4/0x4
[ 1553.882214] kthread+0x282/0x320
[ 1553.882218] ? process_one_work+0x11c0/0x11c0
[ 1553.882221] ? kthread_complete_and_exit+0x30/0x30
[ 1553.882225] ret_from_fork+0x1f/0x30
[ 1553.882231] </TASK>
There is no need to check error request validation in server.
This check allow invalid requests not to validate message.
Fixes:
|
||
---|---|---|
.. | ||
mgmt | ||
asn1.c | ||
asn1.h | ||
auth.c | ||
auth.h | ||
connection.c | ||
connection.h | ||
crypto_ctx.c | ||
crypto_ctx.h | ||
glob.h | ||
Kconfig | ||
ksmbd_netlink.h | ||
ksmbd_spnego_negtokeninit.asn1 | ||
ksmbd_spnego_negtokentarg.asn1 | ||
ksmbd_work.c | ||
ksmbd_work.h | ||
Makefile | ||
misc.c | ||
misc.h | ||
ndr.c | ||
ndr.h | ||
nterr.h | ||
ntlmssp.h | ||
oplock.c | ||
oplock.h | ||
server.c | ||
server.h | ||
smb2misc.c | ||
smb2ops.c | ||
smb2pdu.c | ||
smb2pdu.h | ||
smb_common.c | ||
smb_common.h | ||
smbacl.c | ||
smbacl.h | ||
smbfsctl.h | ||
smbstatus.h | ||
transport_ipc.c | ||
transport_ipc.h | ||
transport_rdma.c | ||
transport_rdma.h | ||
transport_tcp.c | ||
transport_tcp.h | ||
unicode.c | ||
unicode.h | ||
uniupr.h | ||
vfs_cache.c | ||
vfs_cache.h | ||
vfs.c | ||
vfs.h | ||
xattr.h |