Minor issue, as far as I can tell not exploitable, but looks funny.
Apply this patch to libsmb2 and run this for a reproducer:
diff --git a/lib/libsmb2.c b/lib/libsmb2.c
index d17e72b..244cab6 100644
--- a/lib/libsmb2.c
+++ b/lib/libsmb2.c
@@ -1985,6 +1985,7 @@ smb2_getinfo_async(struct smb2_context *smb2,
const char *path,
smb2_free_pdu(smb2, pdu);
return -1;
}
+ next_pdu->header.protocol_id[3] = 0xaa;
smb2_add_compound_pdu(smb2, pdu, next_pdu);
/* CLOSE command */
./examples/smb2-stat-sync smb://server/Share
What it basically does it it corrupts the SMB2 signature for the
second PDU in the
Create/GetInfo/Close compound.
Wireshark is fine with this and still decodes the PDU eventhough it
has the signature 0xfe 'S 'M' 0xaa
The bug is that it only checks the signature for the first PDU:
int ksmbd_verify_smb_message(struct ksmbd_work *work)
{
struct smb2_hdr *smb2_hdr = work->request_buf;
if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
return ksmbd_smb2_check_message(work);
return 0;
}
Funny thing is that ksmbd responds with the same bogus signature in
the second PDU in the compound.
