From patchwork Mon Oct 24 11:28:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 8880
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp433384wru;
        Mon, 24 Oct 2022 05:49:20 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM59/YOYEWPQWNz/JLENX38hJS6P+Ih65JDTl1bbSOB8l2P64GrXjDv0YUnPf8C4jgDUBWh4
X-Received: by 2002:a05:6a00:21ca:b0:569:92dc:2949 with SMTP id
 t10-20020a056a0021ca00b0056992dc2949mr21313677pfj.63.1666615760309;
        Mon, 24 Oct 2022 05:49:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666615760; cv=none;
        d=google.com; s=arc-20160816;
        b=yU5swRF4htNwQLNg4GcMtxNKZqd82Z0qmpYLEOOGMFOVuoMEUmMp2+g8XW6oiYTYD5
         3MGAKf1VRFoVzKCa3p9P5GWOA2qIOBVD510o5XiNtyURRpps0jPBS2xQqJBjBCtN30Q4
         SKFwoQUlvCgtYYc3MXQivMBJQ6GxJ500B0kx2oq5xDdfxbdFCqyahwa/TtWxEHESH54f
         HjnqTxO+OAcXjE2o/rccFsmp+0LARVdbMvbybK/QIzNYvI0ZJnahh179Sn4nIfZW33f5
         a04fiGQ+IOT4bYeLRcsFKm8tEADNiAbwW4I481X8QFkl65KaYDuYJVmnCwlofxImfZ/c
         xZjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9LG5F4KWNfofAyltX/YC7qkx4MHQF+lMd/+rxDBT7OI=;
        b=gzvCjF35RW3HTiXeqgsJ4NGbI6ufyt8iuFc6sHCuIhffWRJaRpaLq4aTO0LpV2umKR
         vmFxjKT3+/hF+mj8zGbNqw4NiWJACLs12uKBqRYQXr4dYc06wTqfHgmLaiEFf4qRHhc2
         nDnI9amQkV4a7WFzQ7zF+bTDLhHdxzni6sLIBIJbAgXW0BAylh/DPY77e6Q7261GAyfM
         hHBg382JJ8lBgNNGfHkn3mJ/v6fk3I8G2eC7JEnriqtUHfvrtX4zIuVrFx+u5yo9Q8TY
         fWaQNXOOxbgbLEBWfVDRobjFooi3SoAHo6PzijTbA3Mxd1R2Rh1Rctgz4kgdEcLNanFN
         0FQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b="w/lxT7Qr";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 u24-20020a631418000000b0045c59e9a8a9si35736131pgl.322.2022.10.24.05.49.05;
        Mon, 24 Oct 2022 05:49:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b="w/lxT7Qr";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232023AbiJXMic (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
        Mon, 24 Oct 2022 08:38:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45818 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234551AbiJXMf0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2022 08:35:26 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A313D5FAF2;
        Mon, 24 Oct 2022 05:05:25 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id A9C3A6129D;
        Mon, 24 Oct 2022 12:05:06 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1B7AC433D6;
        Mon, 24 Oct 2022 12:05:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666613106;
        bh=N6tPm1EFvhXAzR4cNF8AAjV699h2J/V/7WVDj2y+q3M=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=w/lxT7Qr1oFGbZORLAH5tMoK2aQn0xydNgUMyjeGCRY+AHqQhYcAAmnBykqR7y0u1
         niwJzyYt6+FV1pqdZCCgWMCnrRSJJvaGpX8/5woIYknGw0OYkeoQIiACIfcU3dhneR
         GkLwP/4WcdTssHcTfrGckRkQ0XAVlESfoIiETmfE=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Zhang Xiaoxu <zhangxiaoxu5@huawei.com>,
        "Paulo Alcantara (SUSE)" <pc@cjr.nz>, Tom Talpey <tom@talpey.com>,
        Steve French <stfrench@microsoft.com>
Subject: [PATCH 5.4 011/255] cifs: Fix the error length of
 VALIDATE_NEGOTIATE_INFO message
Date: Mon, 24 Oct 2022 13:28:41 +0200
Message-Id: <20221024113002.822599107@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221024113002.471093005@linuxfoundation.org>
References: <20221024113002.471093005@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747573287492921042?=
X-GMAIL-MSGID: =?utf-8?q?1747573287492921042?=

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit e98ecc6e94f4e6d21c06660b0f336df02836694f upstream.

Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")
extend the dialects from 3 to 4, but forget to decrease the extended
length when specific the dialect, then the message length is larger
than expected.

This maybe leak some info through network because not initialize the
message body.

After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is
reduced from 28 bytes to 26 bytes.

Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Cc: <stable@vger.kernel.org>
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2pdu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1100,9 +1100,9 @@ int smb3_validate_negotiate(const unsign
 		pneg_inbuf->Dialects[0] =
 			cpu_to_le16(server->vals->protocol_id);
 		pneg_inbuf->DialectCount = cpu_to_le16(1);
-		/* structure is big enough for 3 dialects, sending only 1 */
+		/* structure is big enough for 4 dialects, sending only 1 */
 		inbuflen = sizeof(*pneg_inbuf) -
-				sizeof(pneg_inbuf->Dialects[0]) * 2;
+				sizeof(pneg_inbuf->Dialects[0]) * 3;
 	}
 
 	rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,