From patchwork Sat Oct 22 07:19:43 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 7361
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1095664wrr;
        Sat, 22 Oct 2022 01:03:15 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM6tCLQcdh/ELC9Fk87gdyl9Aevk8at36ioelUWMVqwGx0OKrVFS/6mIsBvR9Vo7RTJH5LSG
X-Received: by 2002:a17:903:228a:b0:186:7383:dd5d with SMTP id
 b10-20020a170903228a00b001867383dd5dmr9426548plh.121.1666425795342;
        Sat, 22 Oct 2022 01:03:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666425795; cv=none;
        d=google.com; s=arc-20160816;
        b=Vhi6mJsTiJTIuRaIcCovbg9AK+oO7ygGbOsuf3tfHHIwIkRu+7GaxCg/k9ljcE2K/6
         Q9CeUSAd41jkPEBkmhWxawnFaGRiPOLIzw1xWyn7BYMNZmbPFfxqEFCjTjD35XdkTHZI
         dWgwLVUWThY2aG2squAgBqY18Ju2jrvm4J011Xr9p1VJuDsCnYcS7luZidYrQmJGHbNj
         xUcsgrlCNKqpbdOkeuaFp7YcQOz3qliBIhFBYJYLKSoYiDKNkpaCdqnQbKQPnsHcElU6
         Ue+oVuPTomFYZQTj1ObsELeRG+Op3Ka63u8YP8fVz5fTDTIj256NJxLh4Gxg5zY9hATS
         2DRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=EtTHJ5O7C4RilcIIpLBhWdMIrp1ESfuEeqEYD72H94s=;
        b=sLV3YXW8nSv7EgQRQTExigwaOqdTSHb+0zxj9GfqG+4y9QpZGW26QOMJCHBa/wBHJs
         o0dXTYtHeUBh4oXnHBfjnP8Gxin+5uQL2s47KROEJ2aj3kud+47m49HDEgSvuHXTsVVA
         uRCWYDu0tRnhR3SnIgaNrQPwoKjbC2ch7gpBYNq0WdomQBGR0suKh0uDFsJpt7jlEP4E
         gzglJwUVSggw/6UfFiApgJ/xcs/rRMIuM66hZzysdWt5jiD2y3om8azaS/Ia7TflzWOk
         dr7gyvHqcN4Pe+ic2JZjU2ckK1N8bxC1h1g0VFusS3DmOUar5M2zhnEDZ2L1U5sZeWd8
         1n7Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=Fy9x5EOE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 m4-20020a170902db0400b0017a0fe2e1fdsi33997032plx.450.2022.10.22.01.03.01;
        Sat, 22 Oct 2022 01:03:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=Fy9x5EOE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232300AbiJVICo (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
        Sat, 22 Oct 2022 04:02:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42478 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232290AbiJVHyj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Oct 2022 03:54:39 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A947C951ED;
        Sat, 22 Oct 2022 00:47:43 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id E541A60B79;
        Sat, 22 Oct 2022 07:40:10 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 051C0C4314B;
        Sat, 22 Oct 2022 07:40:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666424410;
        bh=dnR68S+GglvsGCWDNsJlZ6XYUD/v8mulvUWGGeDe8KI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Fy9x5EOENK3T34j5pt0Gkp78wcu79rxwyt/aAcoWbP/dxQdK5J/DxYJmg2fOiDgoz
         EAvZTN+WaGBJeA9t2YQN49HcMX4wbzzrIpN3El6ZOK8E1aHqkQo/zEbUyTrtWXoENx
         vKrYp6goZ2kqF+xwNg7sRE7fCyd8L/eMCd47KUOQ=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Zhang Xiaoxu <zhangxiaoxu5@huawei.com>,
        Namjae Jeon <linkinjeon@kernel.org>,
        Steve French <stfrench@microsoft.com>
Subject: [PATCH 5.19 104/717] ksmbd: Fix wrong return value and message length
 check in smb2_ioctl()
Date: Sat, 22 Oct 2022 09:19:43 +0200
Message-Id: <20221022072433.802029429@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221022072415.034382448@linuxfoundation.org>
References: <20221022072415.034382448@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747374094820516752?=
X-GMAIL-MSGID: =?utf-8?q?1747374094820516752?=

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream.

Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock
break, and move its struct to smbfs_common") use the defination
of 'struct validate_negotiate_info_req' in smbfs_common, the
array length of 'Dialects' changed from 1 to 4, but the protocol
does not require the client to send all 4. This lead the request
which satisfied with protocol and server to fail.

So just ensure the request payload has the 'DialectCount' in
smb2_ioctl(), then fsctl_validate_negotiate_info() will use it
to validate the payload length and each dialect.

Also when the {in, out}_buf_len is less than the required, should
goto out to initialize the status in the response header.

Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ksmbd/smb2pdu.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7627,11 +7627,16 @@ int smb2_ioctl(struct ksmbd_work *work)
 			goto out;
 		}
 
-		if (in_buf_len < sizeof(struct validate_negotiate_info_req))
-			return -EINVAL;
+		if (in_buf_len < offsetof(struct validate_negotiate_info_req,
+					  Dialects)) {
+			ret = -EINVAL;
+			goto out;
+		}
 
-		if (out_buf_len < sizeof(struct validate_negotiate_info_rsp))
-			return -EINVAL;
+		if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) {
+			ret = -EINVAL;
+			goto out;
+		}
 
 		ret = fsctl_validate_negotiate_info(conn,
 			(struct validate_negotiate_info_req *)&req->Buffer[0],