Skip to content

Commit 1c1bcf2

Browse files
namjaejeonSteve French
namjaejeon
authored and
Steve French
committed
ksmbd: validate smb request protocol id
This patch add the validation for smb request protocol id. If it is not one of the four ids(SMB1_PROTO_NUMBER, SMB2_PROTO_NUMBER, SMB2_TRANSFORM_PROTO_NUM, SMB2_COMPRESSION_TRANSFORM_ID), don't allow processing the request. And this will fix the following KASAN warning also. [ 13.905265] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1b9/0x1f0 [ 13.905900] Read of size 16 at addr ffff888005fd2f34 by task kworker/0:2/44 ... [ 13.908553] Call Trace: [ 13.908793] <TASK> [ 13.908995] dump_stack_lvl+0x33/0x50 [ 13.909369] print_report+0xcc/0x620 [ 13.910870] kasan_report+0xae/0xe0 [ 13.911519] kasan_check_range+0x35/0x1b0 [ 13.911796] init_smb2_rsp_hdr+0x1b9/0x1f0 [ 13.912492] handle_ksmbd_work+0xe5/0x820 Cc: stable@vger.kernel.org Reported-by: Chih-Yen Chang <cc85nod@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
1 parent 368ba06 commit 1c1bcf2

File tree

2 files changed

+16
-3
lines changed

2 files changed

+16
-3
lines changed

fs/smb/server/connection.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -364,8 +364,6 @@ int ksmbd_conn_handler_loop(void *p)
364364
break;
365365

366366
memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf));
367-
if (!ksmbd_smb_request(conn))
368-
break;
369367

370368
/*
371369
* We already read 4 bytes to find out PDU size, now
@@ -383,6 +381,9 @@ int ksmbd_conn_handler_loop(void *p)
383381
continue;
384382
}
385383

384+
if (!ksmbd_smb_request(conn))
385+
break;
386+
386387
if (((struct smb2_hdr *)smb2_get_msg(conn->request_buf))->ProtocolId ==
387388
SMB2_PROTO_NUMBER) {
388389
if (pdu_size < SMB2_MIN_SUPPORTED_HEADER_SIZE)

fs/smb/server/smb_common.c

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,19 @@ int ksmbd_verify_smb_message(struct ksmbd_work *work)
158158
*/
159159
bool ksmbd_smb_request(struct ksmbd_conn *conn)
160160
{
161-
return conn->request_buf[0] == 0;
161+
__le32 *proto = (__le32 *)smb2_get_msg(conn->request_buf);
162+
163+
if (*proto == SMB2_COMPRESSION_TRANSFORM_ID) {
164+
pr_err_ratelimited("smb2 compression not support yet");
165+
return false;
166+
}
167+
168+
if (*proto != SMB1_PROTO_NUMBER &&
169+
*proto != SMB2_PROTO_NUMBER &&
170+
*proto != SMB2_TRANSFORM_PROTO_NUM)
171+
return false;
172+
173+
return true;
162174
}
163175

164176
static bool supported_protocol(int idx)

0 commit comments

Comments
 (0)