2021-10-01 21:04 GMT+09:00, Ralph Boehme <slow@xxxxxxxxx>:
> Note: we already have the same check in is_chained_smb2_message(), but there
> it
> only applies to compound requests, so we have to repeat the check here to
> cover
> both cases.
>
> Cc: Namjae Jeon <linkinjeon@xxxxxxxxxx>
> Cc: Tom Talpey <tom@xxxxxxxxxx>
> Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
> Cc: Steve French <smfrench@xxxxxxxxx>
> Cc: Hyunchul Lee <hyc.lee@xxxxxxxxx>
> Signed-off-by: Ralph Boehme <slow@xxxxxxxxx>
> ---
> fs/ksmbd/smb2misc.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
> index 7ed266eb6c5e..541b39b7a84b 100644
> --- a/fs/ksmbd/smb2misc.c
> +++ b/fs/ksmbd/smb2misc.c
> @@ -338,6 +338,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
> if (check_smb2_hdr(hdr))
> return 1;
>
> + if (len < sizeof(struct smb2_pdu) - 4)
> + return 1;
when only this patch is applied, how can you guarantee that session id
and tree id of smb2 header are vaild ?
> +
> if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
> ksmbd_debug(SMB, "Illegal structure size %u\n",
> le16_to_cpu(hdr->StructureSize));
> --
> 2.31.1
>
>
