From patchwork Mon Oct 24 11:27:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 10003 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp617105wru; Mon, 24 Oct 2022 12:30:52 -0700 (PDT) X-Google-Smtp-Source: AMsMyM739BmPthnRiZrctTk5KjxvmcqmI3ZexkJp0woIzt2DF6AZFNaoGiLj1LOOWwWmUnuFIZZV X-Received: by 2002:a17:902:f60a:b0:186:5d06:8da4 with SMTP id n10-20020a170902f60a00b001865d068da4mr28533222plg.106.1666639852103; Mon, 24 Oct 2022 12:30:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666639852; cv=none; d=google.com; s=arc-20160816; b=CyTFXLIlzhHZoymsH7XTy5aLs/EfdLI0SzHUxYJIa2jEwtZYKcEnCEdWbbkeF+/EHB nXKmp32JgiiKhEQKJ0DuGak45r2qj3IKCvImRZ3+4TN/4S7W0nLuHHsV77bWRKlNfHoL 72VX3i8Vp2AYb7aVln1XO6ew2GYyZPjMKMfiHbCLij8Fu9P/okKE5z2IlUF1CMnfbKE1 x0Db8msRIhm1K2ZG0i+JMzqxVnjzNNbsMF/eX9/thlcoE4F9rAi+UiqdG9XLTUS04xim ep8bn31OfGmtGP2ZZIg2FnLqJqt2dSJMkCWN+2wvobTtM1djFI8XKCbj9Fksseakt7Xi lhAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=THL1ndDlre55H/kKpNPNnanUS9GGpLDAUjjCqAVl8EM=; b=dhCD0wGTKJppSvfUFV8YeiHwpQw3Ta5mY4tW1lCoAnqs0ZMSrfDjhGrP5yOrsuKRx5 vHVOU157ZaePMBkP49M4OQmq7qwxpkiiNdDDgHGhsgNE2XTOobxpZ9+z1m7CameKDyeJ nEBSxjOQXmfMmw+RauY1Oc1bSr7Z3SCIKgcp0UlUjNjzYvei/DN/OxY1KoczoW7zsHi2 gTuucd5QsKmzDfpAYXNQbkDfAdSbzikZUXgN7hme01HKf0kIKeRNAhke1zhwqXLeLZei yLL7zrMSpeNVbHcUpH36/0yBUih0z8RxpqgTukPULobrisXk8WLm8py2LzFruZ7AVG4b 71TA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MoMQ8aNh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j13-20020a654d4d000000b0046ed58fb265si363689pgt.277.2022.10.24.12.30.38; Mon, 24 Oct 2022 12:30:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MoMQ8aNh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232555AbiJXTZu (ORCPT + 99 others); Mon, 24 Oct 2022 15:25:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233373AbiJXTYO (ORCPT ); Mon, 24 Oct 2022 15:24:14 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CBD8F3F316; Mon, 24 Oct 2022 10:58:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 6D5C1CE1677; Mon, 24 Oct 2022 12:36:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6BD3AC433C1; Mon, 24 Oct 2022 12:36:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666614978; bh=5of1Olx1A+AaRrxi8YE6LOXyOeDWn95p5vYiMDeZUi8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MoMQ8aNhsKdiBm3zzFcv8tkwymS33VYJsz0R4sd5slHEtTdTabRXS1xKkEQ4YatSf ENHuAeU45gFTy2fJPGUDawm+aorl1rLJpgCufac37Rrrogd0q67xLi7VjMBZqulXEB k30e07UKi6FMzerBlLCOQYkz5GeSP1wgU6bZORhk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhang Xiaoxu , Namjae Jeon , Steve French Subject: [PATCH 5.15 076/530] ksmbd: Fix wrong return value and message length check in smb2_ioctl() Date: Mon, 24 Oct 2022 13:27:00 +0200 Message-Id: <20221024113048.459889622@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024113044.976326639@linuxfoundation.org> References: <20221024113044.976326639@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747598549981561052?= X-GMAIL-MSGID: =?utf-8?q?1747598549981561052?= From: Zhang Xiaoxu commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream. Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock break, and move its struct to smbfs_common") use the defination of 'struct validate_negotiate_info_req' in smbfs_common, the array length of 'Dialects' changed from 1 to 4, but the protocol does not require the client to send all 4. This lead the request which satisfied with protocol and server to fail. So just ensure the request payload has the 'DialectCount' in smb2_ioctl(), then fsctl_validate_negotiate_info() will use it to validate the payload length and each dialect. Also when the {in, out}_buf_len is less than the required, should goto out to initialize the status in the response header. Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl") Cc: stable@vger.kernel.org Signed-off-by: Zhang Xiaoxu Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/ksmbd/smb2pdu.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -7617,11 +7617,16 @@ int smb2_ioctl(struct ksmbd_work *work) goto out; } - if (in_buf_len < sizeof(struct validate_negotiate_info_req)) - return -EINVAL; + if (in_buf_len < offsetof(struct validate_negotiate_info_req, + Dialects)) { + ret = -EINVAL; + goto out; + } - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) - return -EINVAL; + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) { + ret = -EINVAL; + goto out; + } ret = fsctl_validate_negotiate_info(conn, (struct validate_negotiate_info_req *)&req->Buffer[0],