2021-09-30 0:18 GMT+09:00, Tom Talpey <tom@xxxxxxxxxx>: > On 9/29/2021 9:36 AM, Namjae Jeon wrote: >> OriginalMessageSize and SessionId should be used after validating >> transform header in request buffer. > > > I suggest rewording the log for clarity: > > ++ Validate that the transform and smb request headers are present > ++ before checking OriginalMessageSize and SessionId fields. Looks more clear:) Thank you! I will update it. > > Is there some reason you aren't using the buf_data_size that is > already calculated, to verify these offsets? It seems like a lot > of redundant, and therefore fragile, coding. I can't remember why I did this 3 years ago... I will change it on another patch after checking it. > > Reviewed-By: Tom Talpey <tom@xxxxxxxxxx> Thanks for your review! > > >> >> Cc: Tom Talpey <tom@xxxxxxxxxx> >> Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx> >> Cc: Ralph Böhme <slow@xxxxxxxxx> >> Cc: Steve French <smfrench@xxxxxxxxx> >> Cc: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx> >> Cc: Hyunchul Lee <hyc.lee@xxxxxxxxx> >> Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> >> --- >> fs/ksmbd/smb2pdu.c | 18 +++++++++--------- >> 1 file changed, 9 insertions(+), 9 deletions(-) >> >> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c >> index ec05d9dc6436..b06361313889 100644 >> --- a/fs/ksmbd/smb2pdu.c >> +++ b/fs/ksmbd/smb2pdu.c >> @@ -8455,16 +8455,8 @@ int smb3_decrypt_req(struct ksmbd_work *work) >> unsigned int buf_data_size = pdu_length + 4 - >> sizeof(struct smb2_transform_hdr); >> struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; >> - unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize); >> int rc = 0; >> >> - sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); >> - if (!sess) { >> - pr_err("invalid session id(%llx) in transform header\n", >> - le64_to_cpu(tr_hdr->SessionId)); >> - return -ECONNABORTED; >> - } >> - >> if (pdu_length + 4 < >> sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { >> pr_err("Transform message is too small (%u)\n", >> @@ -8472,11 +8464,19 @@ int smb3_decrypt_req(struct ksmbd_work *work) >> return -ECONNABORTED; >> } >> >> - if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) { >> + if (pdu_length + 4 < >> + le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct >> smb2_transform_hdr)) { >> pr_err("Transform message is broken\n"); >> return -ECONNABORTED; >> } >> >> + sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); >> + if (!sess) { >> + pr_err("invalid session id(%llx) in transform header\n", >> + le64_to_cpu(tr_hdr->SessionId)); >> + return -ECONNABORTED; >> + } >> + >> iov[0].iov_base = buf; >> iov[0].iov_len = sizeof(struct smb2_transform_hdr); >> iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr); >> >