2021-09-30 0:18 GMT+09:00, Tom Talpey <tom@xxxxxxxxxx>:
> On 9/29/2021 9:36 AM, Namjae Jeon wrote:
>> OriginalMessageSize and SessionId should be used after validating
>> transform header in request buffer.
>
>
> I suggest rewording the log for clarity:
>
> ++ Validate that the transform and smb request headers are present
> ++ before checking OriginalMessageSize and SessionId fields.
Looks more clear:) Thank you! I will update it.
>
> Is there some reason you aren't using the buf_data_size that is
> already calculated, to verify these offsets? It seems like a lot
> of redundant, and therefore fragile, coding.
I can't remember why I did this 3 years ago... I will change it on
another patch after checking it.
>
> Reviewed-By: Tom Talpey <tom@xxxxxxxxxx>
Thanks for your review!
>
>
>>
>> Cc: Tom Talpey <tom@xxxxxxxxxx>
>> Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
>> Cc: Ralph Böhme <slow@xxxxxxxxx>
>> Cc: Steve French <smfrench@xxxxxxxxx>
>> Cc: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
>> Cc: Hyunchul Lee <hyc.lee@xxxxxxxxx>
>> Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
>> ---
>> fs/ksmbd/smb2pdu.c | 18 +++++++++---------
>> 1 file changed, 9 insertions(+), 9 deletions(-)
>>
>> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
>> index ec05d9dc6436..b06361313889 100644
>> --- a/fs/ksmbd/smb2pdu.c
>> +++ b/fs/ksmbd/smb2pdu.c
>> @@ -8455,16 +8455,8 @@ int smb3_decrypt_req(struct ksmbd_work *work)
>> unsigned int buf_data_size = pdu_length + 4 -
>> sizeof(struct smb2_transform_hdr);
>> struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf;
>> - unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
>> int rc = 0;
>>
>> - sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId));
>> - if (!sess) {
>> - pr_err("invalid session id(%llx) in transform header\n",
>> - le64_to_cpu(tr_hdr->SessionId));
>> - return -ECONNABORTED;
>> - }
>> -
>> if (pdu_length + 4 <
>> sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) {
>> pr_err("Transform message is too small (%u)\n",
>> @@ -8472,11 +8464,19 @@ int smb3_decrypt_req(struct ksmbd_work *work)
>> return -ECONNABORTED;
>> }
>>
>> - if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) {
>> + if (pdu_length + 4 <
>> + le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct
>> smb2_transform_hdr)) {
>> pr_err("Transform message is broken\n");
>> return -ECONNABORTED;
>> }
>>
>> + sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId));
>> + if (!sess) {
>> + pr_err("invalid session id(%llx) in transform header\n",
>> + le64_to_cpu(tr_hdr->SessionId));
>> + return -ECONNABORTED;
>> + }
>> +
>> iov[0].iov_base = buf;
>> iov[0].iov_len = sizeof(struct smb2_transform_hdr);
>> iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr);
>>
>
