2021-09-22 14:22 GMT+09:00, Leif Sahlberg <lsahlber@xxxxxxxxxx>:
> Minor issue, as far as I can tell not exploitable, but looks funny.
>
>
> Apply this patch to libsmb2 and run this for a reproducer:
> diff --git a/lib/libsmb2.c b/lib/libsmb2.c
> index d17e72b..244cab6 100644
> --- a/lib/libsmb2.c
> +++ b/lib/libsmb2.c
> @@ -1985,6 +1985,7 @@ smb2_getinfo_async(struct smb2_context *smb2,
> const char *path,
> smb2_free_pdu(smb2, pdu);
> return -1;
> }
> + next_pdu->header.protocol_id[3] = 0xaa;
> smb2_add_compound_pdu(smb2, pdu, next_pdu);
>
> /* CLOSE command */
>
>
> ./examples/smb2-stat-sync smb://server/Share
>
>
> What it basically does it it corrupts the SMB2 signature for the
> second PDU in the
> Create/GetInfo/Close compound.
>
> Wireshark is fine with this and still decodes the PDU eventhough it
> has the signature 0xfe 'S 'M' 0xaa
>
>
> The bug is that it only checks the signature for the first PDU:
>
> int ksmbd_verify_smb_message(struct ksmbd_work *work)
> {
> struct smb2_hdr *smb2_hdr = work->request_buf;
>
> if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
> return ksmbd_smb2_check_message(work);
>
> return 0;
> }
>
>
> Funny thing is that ksmbd responds with the same bogus signature in
> the second PDU in the compound.
Oops, I will fix it, Thanks for your check!
>
>
