Re: [PATCH] ksmbd: fix transform header validation

Tom Talpey <tom@xxxxxxxxxx> · Wed, 29 Sep 2021 11:18:50 -0400

On 9/29/2021 9:36 AM, Namjae Jeon wrote:
OriginalMessageSize and SessionId should be used after validating
transform header in request buffer.


I suggest rewording the log for clarity:

++ Validate that the transform and smb request headers are present
++ before checking OriginalMessageSize and SessionId fields.

Is there some reason you aren't using the buf_data_size that is
already calculated, to verify these offsets? It seems like a lot
of redundant, and therefore fragile, coding.

Reviewed-By: Tom Talpey <tom@xxxxxxxxxx>



Cc: Tom Talpey <tom@xxxxxxxxxx>
Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
Cc: Ralph Böhme <slow@xxxxxxxxx>
Cc: Steve French <smfrench@xxxxxxxxx>
Cc: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
Cc: Hyunchul Lee <hyc.lee@xxxxxxxxx>
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
---
  fs/ksmbd/smb2pdu.c | 18 +++++++++---------
  1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index ec05d9dc6436..b06361313889 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -8455,16 +8455,8 @@ int smb3_decrypt_req(struct ksmbd_work *work)
  	unsigned int buf_data_size = pdu_length + 4 -
  		sizeof(struct smb2_transform_hdr);
  	struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf;
-	unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
  	int rc = 0;
  
-	sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId));
-	if (!sess) {
-		pr_err("invalid session id(%llx) in transform header\n",
-		       le64_to_cpu(tr_hdr->SessionId));
-		return -ECONNABORTED;
-	}
-
  	if (pdu_length + 4 <
  	    sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) {
  		pr_err("Transform message is too small (%u)\n",
@@ -8472,11 +8464,19 @@ int smb3_decrypt_req(struct ksmbd_work *work)
  		return -ECONNABORTED;
  	}
  
-	if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) {
+	if (pdu_length + 4 <
+	    le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) {
  		pr_err("Transform message is broken\n");
  		return -ECONNABORTED;
  	}
  
+	sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId));
+	if (!sess) {
+		pr_err("invalid session id(%llx) in transform header\n",
+		       le64_to_cpu(tr_hdr->SessionId));
+		return -ECONNABORTED;
+	}
+
  	iov[0].iov_base = buf;
  	iov[0].iov_len = sizeof(struct smb2_transform_hdr);
  	iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr);







