Am 22.09.21 um 14:01 schrieb Namjae Jeon:
Ronnie reported invalid request buffer access in chained command when inserting garbage value to NextCommand of compound request. This patch add validation check to avoid this issue. Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx> Cc: Ralph Böhme <slow@xxxxxxxxx> Cc: Steve French <smfrench@xxxxxxxxx> Reported-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> --- v2: - fix integer overflow from work->next_smb2_rcv_hdr_off. v3: - check next command offset and at least header size of next pdu at the same time. fs/ksmbd/smb2pdu.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4f11eb85bb6b..3d250e2539e6 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -466,6 +466,13 @@ bool is_chained_smb2_message(struct ksmbd_work *work)hdr = ksmbd_req_buf_next(work);if (le32_to_cpu(hdr->NextCommand) > 0) { + if ((u64)work->next_smb2_rcv_hdr_off + le32_to_cpu(hdr->NextCommand) + 64 > + get_rfc1002_len(work->request_buf)) {
is this safe from overflows on 32 bit arch? Thanks! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature