Re: [PATCH][SMB3] Removing confusing error message by fixing buffer length checking in SMB3.11 negprot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We could move the check - but we would still have to check that the
other offset (security buffer offset) doesn't go beyond end of SMB.

It could save one line by moving this callout (the if command == SMB2_negotiate)

+#ifdef CONFIG_CIFS_SMB311
+    if (shdr->Command == SMB2_NEGOTIATE)
+        clc_len += get_neg_ctxt_len(hdr, len, clc_len);
+#endif /* SMB311 */

but not sure if it is any clearer.  Thoughts?

On Tue, Apr 10, 2018 at 4:31 AM, Aurélien Aptel <aaptel@xxxxxxxx> wrote:
> Steve French <smfrench@xxxxxxxxx> writes:
>> SMB3: Fix length checking of SMB3.11 negotiate request
>>
>> The length checking for SMB3.11 negotiate request includes
>> "negotiate contexts" which caused a buffer validation problem
>> and a confusing warning message on SMB3.11 mount e.g.:
>>
>>      SMB2 server sent bad RFC1001 len 236 not 170
>>
>> Fix the length checking for SMB3.11 negotiate to account for
>> the new negotiate context so that we don't log a warning on
>> SMB3.11 mount.
>
> code looks correct but I have a comment:
>
> so the patch adds the check like this:
>
>         clc_len = smb2_calc_size(hdr);
>
>         if (shdr->Command == SMB2_NEGOTIATE)
>                 clc_len += get_neg_ctxt_len(hdr, len, clc_len);
>
> but it might be cleaner to just fix the path that computes the size in
> smb2_calc_size():
>
>   smb2_calc_size()
>     smb2_get_data_area()
>       case SMB2_NEGOTIATE:
>           *off = le16_to_cpu(
>               ((struct smb2_negotiate_rsp *)hdr)->SecurityBufferOffset);
>           *len = le16_to_cpu(
>               ((struct smb2_negotiate_rsp *)hdr)->SecurityBufferLength);
>           /*** PATCH HERE *****/
>           break;
>
> I think we could set off and len to the negctx off and len instead of the gss if
> using 3.11.
>
> you can do less debug checks than with your patch given the clc_len isnt
> computed yet but I think it would be cleaner.
>
> Cheers,
> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
> GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)



-- 
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux