From patchwork Sat Oct 22 07:19:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 7361 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1095664wrr; Sat, 22 Oct 2022 01:03:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6tCLQcdh/ELC9Fk87gdyl9Aevk8at36ioelUWMVqwGx0OKrVFS/6mIsBvR9Vo7RTJH5LSG X-Received: by 2002:a17:903:228a:b0:186:7383:dd5d with SMTP id b10-20020a170903228a00b001867383dd5dmr9426548plh.121.1666425795342; Sat, 22 Oct 2022 01:03:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666425795; cv=none; d=google.com; s=arc-20160816; b=Vhi6mJsTiJTIuRaIcCovbg9AK+oO7ygGbOsuf3tfHHIwIkRu+7GaxCg/k9ljcE2K/6 Q9CeUSAd41jkPEBkmhWxawnFaGRiPOLIzw1xWyn7BYMNZmbPFfxqEFCjTjD35XdkTHZI dWgwLVUWThY2aG2squAgBqY18Ju2jrvm4J011Xr9p1VJuDsCnYcS7luZidYrQmJGHbNj xUcsgrlCNKqpbdOkeuaFp7YcQOz3qliBIhFBYJYLKSoYiDKNkpaCdqnQbKQPnsHcElU6 Ue+oVuPTomFYZQTj1ObsELeRG+Op3Ka63u8YP8fVz5fTDTIj256NJxLh4Gxg5zY9hATS 2DRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EtTHJ5O7C4RilcIIpLBhWdMIrp1ESfuEeqEYD72H94s=; b=sLV3YXW8nSv7EgQRQTExigwaOqdTSHb+0zxj9GfqG+4y9QpZGW26QOMJCHBa/wBHJs o0dXTYtHeUBh4oXnHBfjnP8Gxin+5uQL2s47KROEJ2aj3kud+47m49HDEgSvuHXTsVVA uRCWYDu0tRnhR3SnIgaNrQPwoKjbC2ch7gpBYNq0WdomQBGR0suKh0uDFsJpt7jlEP4E gzglJwUVSggw/6UfFiApgJ/xcs/rRMIuM66hZzysdWt5jiD2y3om8azaS/Ia7TflzWOk dr7gyvHqcN4Pe+ic2JZjU2ckK1N8bxC1h1g0VFusS3DmOUar5M2zhnEDZ2L1U5sZeWd8 1n7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fy9x5EOE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m4-20020a170902db0400b0017a0fe2e1fdsi33997032plx.450.2022.10.22.01.03.01; Sat, 22 Oct 2022 01:03:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fy9x5EOE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232300AbiJVICo (ORCPT + 99 others); Sat, 22 Oct 2022 04:02:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232290AbiJVHyj (ORCPT ); Sat, 22 Oct 2022 03:54:39 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A947C951ED; Sat, 22 Oct 2022 00:47:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E541A60B79; Sat, 22 Oct 2022 07:40:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 051C0C4314B; Sat, 22 Oct 2022 07:40:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666424410; bh=dnR68S+GglvsGCWDNsJlZ6XYUD/v8mulvUWGGeDe8KI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Fy9x5EOENK3T34j5pt0Gkp78wcu79rxwyt/aAcoWbP/dxQdK5J/DxYJmg2fOiDgoz EAvZTN+WaGBJeA9t2YQN49HcMX4wbzzrIpN3El6ZOK8E1aHqkQo/zEbUyTrtWXoENx vKrYp6goZ2kqF+xwNg7sRE7fCyd8L/eMCd47KUOQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhang Xiaoxu , Namjae Jeon , Steve French Subject: [PATCH 5.19 104/717] ksmbd: Fix wrong return value and message length check in smb2_ioctl() Date: Sat, 22 Oct 2022 09:19:43 +0200 Message-Id: <20221022072433.802029429@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747374094820516752?= X-GMAIL-MSGID: =?utf-8?q?1747374094820516752?= From: Zhang Xiaoxu commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream. Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") use the defination of 'struct validate_negotiate_info_req' in smbfs_common, the array length of 'Dialects' changed from 1 to 4, but the protocol does not require the client to send all 4. This lead the request which satisfied with protocol and server to fail. So just ensure the request payload has the 'DialectCount' in smb2_ioctl(), then fsctl_validate_negotiate_info() will use it to validate the payload length and each dialect. Also when the {in, out}_buf_len is less than the required, should goto out to initialize the status in the response header. Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") Cc: stable@vger.kernel.org Signed-off-by: Zhang Xiaoxu Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb2pdu.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7627,11 +7627,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) - return -EINVAL; + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { + ret = -EINVAL; + goto out; + } - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) - return -EINVAL; + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { + ret = -EINVAL; + goto out; + } ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0],