Looks good to me.
Acked-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
2021년 9월 24일 (금) 오전 11:13, Namjae Jeon <linkinjeon@xxxxxxxxxx>님이 작성:
>
> Ronnie reported invalid request buffer access in chained command when
> inserting garbage value to NextCommand of compound request.
> This patch add validation check to avoid this issue.
>
> Cc: Tom Talpey <tom@xxxxxxxxxx>
> Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
> Cc: Ralph Böhme <slow@xxxxxxxxx>
> Cc: Steve French <smfrench@xxxxxxxxx>
> Cc: Hyunchul Lee <hyc.lee@xxxxxxxxx>
> Cc: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
> Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
> ---
> fs/ksmbd/smb2pdu.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
> index a930838fd6ac..4f7b5e18a7b9 100644
> --- a/fs/ksmbd/smb2pdu.c
> +++ b/fs/ksmbd/smb2pdu.c
> @@ -459,13 +459,22 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
> bool is_chained_smb2_message(struct ksmbd_work *work)
> {
> struct smb2_hdr *hdr = work->request_buf;
> - unsigned int len;
> + unsigned int len, next_cmd;
>
> if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
> return false;
>
> hdr = ksmbd_req_buf_next(work);
> - if (le32_to_cpu(hdr->NextCommand) > 0) {
> + next_cmd = le32_to_cpu(hdr->NextCommand);
> + if (next_cmd > 0) {
> + if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +
> + __SMB2_HEADER_STRUCTURE_SIZE >
> + get_rfc1002_len(work->request_buf)) {
> + pr_err("next command(%u) offset exceeds smb msg size\n",
> + next_cmd);
> + return false;
> + }
> +
> ksmbd_debug(SMB, "got SMB2 chained command\n");
> init_chained_smb2_rsp(work);
> return true;
> --
> 2.25.1
>
--
Thanks,
Hyunchul
