linux/fs/cifs
Gustavo A. R. Silva 8d8d1dbefc smb3: Fix out-of-bounds bug in SMB2_negotiate()
While addressing some warnings generated by -Warray-bounds, I found this
bug that was introduced back in 2017:

  CC [M]  fs/cifs/smb2pdu.o
fs/cifs/smb2pdu.c: In function ‘SMB2_negotiate’:
fs/cifs/smb2pdu.c:822:16: warning: array subscript 1 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  822 |   req->Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
      |   ~~~~~~~~~~~~~^~~
fs/cifs/smb2pdu.c:823:16: warning: array subscript 2 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  823 |   req->Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
      |   ~~~~~~~~~~~~~^~~
fs/cifs/smb2pdu.c:824:16: warning: array subscript 3 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  824 |   req->Dialects[3] = cpu_to_le16(SMB311_PROT_ID);
      |   ~~~~~~~~~~~~~^~~
fs/cifs/smb2pdu.c:816:16: warning: array subscript 1 is above array bounds
of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds]
  816 |   req->Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
      |   ~~~~~~~~~~~~~^~~

At the time, the size of array _Dialects_ was changed from 1 to 3 in struct
validate_negotiate_info_req, and then in 2019 it was changed from 3 to 4,
but those changes were never made in struct smb2_negotiate_req, which has
led to a 3 and a half years old out-of-bounds bug in function
SMB2_negotiate() (fs/cifs/smb2pdu.c).

Fix this by increasing the size of array _Dialects_ in struct
smb2_negotiate_req to 4.

Fixes: 9764c02fcb ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)")
Fixes: d5c7076b77 ("smb3: add smb3.1.1 to default dialect list")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
2021-02-01 22:43:39 -06:00
..
asn1.c cifs: remove bogus debug code 2020-10-22 12:17:52 -05:00
cache.c cifs: Make extract_sharename function public 2020-12-14 09:16:22 -06:00
cifs_debug.c cifs: Add witness information to debug data dump 2020-12-14 09:16:22 -06:00
cifs_debug.h cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifs_dfs_ref.c cifs: fix dfs domain referrals 2021-01-28 21:40:43 -06:00
cifs_fs_sb.h cifs: move [brw]size from cifs_sb to cifs_sb->ctx 2020-12-14 09:26:30 -06:00
cifs_ioctl.h cifs: add SMB3 change notification support 2020-02-06 09:14:28 -06:00
cifs_spnego.c cifs: switch servers depending on binding state 2019-11-25 01:16:30 -06:00
cifs_spnego.h
cifs_swn.c cifs: Re-indent cifs_swn_reconnect() 2020-12-18 00:02:37 -06:00
cifs_swn.h cifs: Send witness register messages to userspace daemon in echo task 2020-12-14 09:16:23 -06:00
cifs_unicode.c Convert trailing spaces and periods in path components 2020-10-11 23:57:18 -05:00
cifs_unicode.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifs_uniupr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
cifsacl.c SMB3: Add support for getting and setting SACLs 2020-12-18 13:25:57 -06:00
cifsacl.h cifs: Enable sticky bit with cifsacl mount option. 2020-12-13 19:12:07 -06:00
cifsencrypt.c cifs: switch to new mount api 2020-12-13 19:12:07 -06:00
cifsfs.c cifs: fix dfs domain referrals 2021-01-28 21:40:43 -06:00
cifsfs.h cifs: update internal module version number 2020-12-16 21:56:42 -06:00
cifsglob.h SMB3: Add support for getting and setting SACLs 2020-12-18 13:25:57 -06:00
cifspdu.h SMB3: Add support for getting and setting SACLs 2020-12-18 13:25:57 -06:00
cifsproto.h cifs: fix dfs domain referrals 2021-01-28 21:40:43 -06:00
cifsroot.c cifs: Standardize logging output 2020-06-01 00:10:18 -05:00
cifssmb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
connect.c cifs: fix dfs domain referrals 2021-01-28 21:40:43 -06:00
dfs_cache.c cifs: fix dfs domain referrals 2021-01-28 21:40:43 -06:00
dfs_cache.h cifs: rename smb_vol as smb3_fs_context and move it to fs_context.h 2020-12-13 19:12:07 -06:00
dir.c cifs: rename smb_vol as smb3_fs_context and move it to fs_context.h 2020-12-13 19:12:07 -06:00
dns_resolve.c keys: Pass the network namespace into request_key mechanism 2019-06-27 23:02:12 +01:00
dns_resolve.h
export.c docs: fs: convert docs without extension to ReST 2019-07-31 13:31:05 -06:00
file.c cifs: move [brw]size from cifs_sb to cifs_sb->ctx 2020-12-14 09:26:30 -06:00
fs_context.c cifs: fix dfs domain referrals 2021-01-28 21:40:43 -06:00
fs_context.h cifs: move update of flags into a separate function 2020-12-14 09:28:25 -06:00
fscache.c cifs: Make extract_sharename function public 2020-12-14 09:16:22 -06:00
fscache.h cifs: Make extract_sharename function public 2020-12-14 09:16:22 -06:00
inode.c cifs: move [brw]size from cifs_sb to cifs_sb->ctx 2020-12-14 09:26:30 -06:00
ioctl.c cifs: fix reference leak for tlink 2020-07-09 10:06:52 -05:00
Kconfig cifs: minor updates to Kconfig 2020-12-14 09:16:22 -06:00
link.c smb311: add support for using info level for posix extensions query 2020-06-12 08:54:12 -05:00
Makefile cifs: Send witness register and unregister commands to userspace daemon 2020-12-14 09:16:22 -06:00
misc.c cifs: remove [gu]id/backup[gu]id/file_mode/dir_mode from cifs_sb 2020-12-14 09:16:23 -06:00
netlink.c cifs: Set witness notification handler for messages from userspace daemon 2020-12-14 09:16:22 -06:00
netlink.h cifs: Register generic netlink family 2020-12-14 09:16:22 -06:00
netmisc.c cifs`: handle ERRBaduid for SMB1 2020-08-02 18:00:25 -05:00
nterr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
nterr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ntlmssp.h
readdir.c cifs: remove [gu]id/backup[gu]id/file_mode/dir_mode from cifs_sb 2020-12-14 09:16:23 -06:00
rfc1002pdu.h
sess.c cifs: simplify handling of cifs_sb/ctx->local_nls 2020-12-14 09:26:30 -06:00
smb1ops.c cifs: move [brw]size from cifs_sb to cifs_sb->ctx 2020-12-14 09:26:30 -06:00
smb2file.c cifs: allow unlock flock and OFD lock across fork 2020-03-22 22:49:09 -05:00
smb2glob.h smb3.1.1: set gcm256 when requested 2020-10-19 15:11:11 -05:00
smb2inode.c smb3: add support for stat of WSL reparse points for special file types 2020-10-23 15:38:10 -05:00
smb2maperror.c cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES 2020-10-15 23:58:14 -05:00
smb2misc.c cifs: remove various function description warnings 2020-12-14 09:16:23 -06:00
smb2ops.c Add SMB 2 support for getting and setting SACLs 2020-12-18 23:32:04 -06:00
smb2pdu.c cifs: fix interrupted close commands 2021-01-13 12:55:33 -06:00
smb2pdu.h smb3: Fix out-of-bounds bug in SMB2_negotiate() 2021-02-01 22:43:39 -06:00
smb2proto.h SMB3: Add support for getting and setting SACLs 2020-12-18 13:25:57 -06:00
smb2status.h cifs: don't use __constant_cpu_to_le32() 2019-05-07 23:24:54 -05:00
smb2transport.c smb3.1.1: set gcm256 when requested 2020-10-19 15:11:11 -05:00
smbdirect.c cifs: Fix fall-through warnings for Clang 2020-12-13 19:12:07 -06:00
smbdirect.h cifs: smbd: Do not schedule work to send immediate packet on every receive 2020-04-07 12:41:16 -05:00
smbencrypt.c fs: cifs: move from the crypto cipher API to the new DES library interface 2019-08-22 14:57:34 +10:00
smberr.h
smbfsctl.h smb3: add some missing definitions from MS-FSCC 2020-10-23 15:38:10 -05:00
trace.c smb3: Cleanup license mess 2019-01-24 09:37:33 -06:00
trace.h cifs: Tracepoints and logs for tracing credit changes. 2020-12-15 16:56:04 -06:00
transport.c cifs: do not fail __smb_send_rqst if non-fatal signals are pending 2021-01-23 01:28:20 -06:00
unc.c cifs: remove some minor warnings pointed out by kernel test robot 2020-12-14 09:16:23 -06:00
winucase.c Replace HTTP links with HTTPS ones: CIFS 2020-07-05 14:23:38 -06:00
xattr.c Add SMB 2 support for getting and setting SACLs 2020-12-18 23:32:04 -06:00