Skip to content

Commit 56e84c6

Browse files
paliSteve French
pali
authored and
Steve French
committed
cifs: Fix validation of SMB1 query reparse point response
Validate the SMB1 query reparse point response per [MS-CIFS] section 2.2.7.2 NT_TRANSACT_IOCTL. NT_TRANSACT_IOCTL response contains one word long setup data after which is ByteCount member. So check that SetupCount is 1 before trying to read and use ByteCount member. Output setup data contains ReturnedDataLen member which is the output length of executed IOCTL command by remote system. So check that output was not truncated before transferring over network. Change MaxSetupCount of NT_TRANSACT_IOCTL request from 4 to 1 as io_rsp structure already expects one word long output setup data. This should prevent server sending incompatible structure (in case it would be extended in future, which is unlikely). Change MaxParameterCount of NT_TRANSACT_IOCTL request from 2 to 0 as NT IOCTL does not have any documented output parameters and this function does not parse any output parameters at all. Fixes: ed3e0a1 ("smb: client: implement ->query_reparse_point() for SMB1") Signed-off-by: Pali Rohár <pali@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
1 parent 89381c7 commit 56e84c6

File tree

1 file changed

+18
-2
lines changed

1 file changed

+18
-2
lines changed

fs/smb/client/cifssmb.c

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2754,10 +2754,10 @@ int cifs_query_reparse_point(const unsigned int xid,
27542754

27552755
io_req->TotalParameterCount = 0;
27562756
io_req->TotalDataCount = 0;
2757-
io_req->MaxParameterCount = cpu_to_le32(2);
2757+
io_req->MaxParameterCount = cpu_to_le32(0);
27582758
/* BB find exact data count max from sess structure BB */
27592759
io_req->MaxDataCount = cpu_to_le32(CIFSMaxBufSize & 0xFFFFFF00);
2760-
io_req->MaxSetupCount = 4;
2760+
io_req->MaxSetupCount = 1;
27612761
io_req->Reserved = 0;
27622762
io_req->ParameterOffset = 0;
27632763
io_req->DataCount = 0;
@@ -2784,6 +2784,22 @@ int cifs_query_reparse_point(const unsigned int xid,
27842784
goto error;
27852785
}
27862786

2787+
/* SetupCount must be 1, otherwise offset to ByteCount is incorrect. */
2788+
if (io_rsp->SetupCount != 1) {
2789+
rc = -EIO;
2790+
goto error;
2791+
}
2792+
2793+
/*
2794+
* ReturnedDataLen is output length of executed IOCTL.
2795+
* DataCount is output length transferred over network.
2796+
* Check that we have full FSCTL_GET_REPARSE_POINT buffer.
2797+
*/
2798+
if (data_count != le16_to_cpu(io_rsp->ReturnedDataLen)) {
2799+
rc = -EIO;
2800+
goto error;
2801+
}
2802+
27872803
end = 2 + get_bcc(&io_rsp->hdr) + (__u8 *)&io_rsp->ByteCount;
27882804
start = (__u8 *)&io_rsp->hdr.Protocol + data_offset;
27892805
if (start >= end) {

0 commit comments

Comments
 (0)