From patchwork Wed Oct 19 08:23:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 4666 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp212732wrs; Wed, 19 Oct 2022 02:08:10 -0700 (PDT) X-Google-Smtp-Source: AMsMyM77hMUhXvIOgpKw73HlQTDD0OW55f5Y5MuO/aUWy3LQdCc7Y1hrq2iTwW+l/bOYn2eOypDu X-Received: by 2002:a05:6402:191:b0:45c:83e8:d74a with SMTP id r17-20020a056402019100b0045c83e8d74amr6184401edv.329.1666170490116; Wed, 19 Oct 2022 02:08:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666170490; cv=none; d=google.com; s=arc-20160816; b=X1gCa+6YpL4wfW+rk89d+eviuxf24yLU/autT9G9iLfyW1omXwkwITRbifXFSDPz+h BK+vQfynYZGwmaWeL1xHVT7UhEPIOoSai8M6cdtyAdBySt7J0i2/eHMa96eAGW6B8vIG 3t7hudFID6gFwy70ynsYKhGNsLHmgFGcbKjjaBUPp/FDvQ/TGSgmHWECdoZmhJKxeczi NXUZmpdQopJ/iuJ5Z2t3CvJJm56VUb5o9lotv8SOBzf2j77VNpySaD4uPASSZvQXXsP0 ngOdhjg/arcdW802soZOZCfo3vpPLdjNCQvMPVFzADkWzfFwQAUoTdUNlyuqZFS0xlgW ByNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kE+X+6FQZ75dxph1EdCGoQ7Qv4C7WdvNn2FYbYq+uU0=; b=a0EJNRR4UcQu7Fmius3E40rGltIASqhwVHvmZOoeP99AGfc1zm+mMAgx5Q8io+KlCl 60PJPTGUTn3/eB/IDutlb1nYg814tU9j63RlMIiSXsmaSRjkU6EOpzApldbIvfgj4Pya VPMm+ngZQTWdbNuEpkPF23e51Gssph8shE1huhY7pG85IDazhWgxhCgJwuFVGltfHG7y sRLQwUnZtLGZ0cmcpFY8Wv8GP6tOnGHO9Nw8nvwYJcwYgbGyEV85K+cgFXI34fEK2RLB 5XoWEZFuZjDMa4m7AcH3k5U2r7FE5vtqyIYXrHVPxchtAImaK3m9h5GE/Vxm1g9CURas qDZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Xl8RRCII; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id js10-20020a17090797ca00b0078e20d9c473si9754334ejc.764.2022.10.19.02.07.39; Wed, 19 Oct 2022 02:08:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Xl8RRCII; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232107AbiJSJA2 (ORCPT + 99 others); Wed, 19 Oct 2022 05:00:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231906AbiJSI6t (ORCPT ); Wed, 19 Oct 2022 04:58:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59EB843E43; Wed, 19 Oct 2022 01:54:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 58624617E8; Wed, 19 Oct 2022 08:44:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4ED72C433C1; Wed, 19 Oct 2022 08:44:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666169084; bh=OBlb9A85he6sARMUUbOjdvnk9qFh1qtp/xfhmiEDpJY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xl8RRCIIvIYid5yF/2s4Scj3dxwawRb3B1s1D1UWqhLgnsv8sOuNa2Lf3zAbjKwAp O8XKzTiiw+p1tPu0cXpPM4c8wF/VSEHIisotsAC6zGTUGYnF7dzWAfmRvF2A9poJDo qgI6Low9pN8aXDVX8rJqDF9Owz2wwCDq/SlyYUDs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhang Xiaoxu , Namjae Jeon , Steve French Subject: [PATCH 6.0 115/862] ksmbd: Fix wrong return value and message length check in smb2_ioctl() Date: Wed, 19 Oct 2022 10:23:22 +0200 Message-Id: <20221019083255.008168069@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747106387994976350?= X-GMAIL-MSGID: =?utf-8?q?1747106387994976350?= From: Zhang Xiaoxu commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream. Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") use the defination of 'struct validate_negotiate_info_req' in smbfs_common, the array length of 'Dialects' changed from 1 to 4, but the protocol does not require the client to send all 4. This lead the request which satisfied with protocol and server to fail. So just ensure the request payload has the 'DialectCount' in smb2_ioctl(), then fsctl_validate_negotiate_info() will use it to validate the payload length and each dialect. Also when the {in, out}_buf_len is less than the required, should goto out to initialize the status in the response header. Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") Cc: stable@vger.kernel.org Signed-off-by: Zhang Xiaoxu Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb2pdu.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7637,11 +7637,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) - return -EINVAL; + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { + ret = -EINVAL; + goto out; + } - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) - return -EINVAL; + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { + ret = -EINVAL; + goto out; + } ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0],