Steve French <smfrench@xxxxxxxxx> writes:
> SMB3: Fix length checking of SMB3.11 negotiate request
>
> The length checking for SMB3.11 negotiate request includes
> "negotiate contexts" which caused a buffer validation problem
> and a confusing warning message on SMB3.11 mount e.g.:
>
> SMB2 server sent bad RFC1001 len 236 not 170
>
> Fix the length checking for SMB3.11 negotiate to account for
> the new negotiate context so that we don't log a warning on
> SMB3.11 mount.
code looks correct but I have a comment:
so the patch adds the check like this:
clc_len = smb2_calc_size(hdr);
if (shdr->Command == SMB2_NEGOTIATE)
clc_len += get_neg_ctxt_len(hdr, len, clc_len);
but it might be cleaner to just fix the path that computes the size in
smb2_calc_size():
smb2_calc_size()
smb2_get_data_area()
case SMB2_NEGOTIATE:
*off = le16_to_cpu(
((struct smb2_negotiate_rsp *)hdr)->SecurityBufferOffset);
*len = le16_to_cpu(
((struct smb2_negotiate_rsp *)hdr)->SecurityBufferLength);
/*** PATCH HERE *****/
break;
I think we could set off and len to the negctx off and len instead of the gss if
using 3.11.
you can do less debug checks than with your patch given the clc_len isnt
computed yet but I think it would be cleaner.
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
