Am 02.10.21 um 07:55 schrieb Namjae Jeon:
2021-10-01 21:04 GMT+09:00, Ralph Boehme <slow@xxxxxxxxx>:Note: we already have the same check in is_chained_smb2_message(), but there it only applies to compound requests, so we have to repeat the check here to cover both cases. Cc: Namjae Jeon <linkinjeon@xxxxxxxxxx> Cc: Tom Talpey <tom@xxxxxxxxxx> Cc: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx> Cc: Steve French <smfrench@xxxxxxxxx> Cc: Hyunchul Lee <hyc.lee@xxxxxxxxx> Signed-off-by: Ralph Boehme <slow@xxxxxxxxx> --- fs/ksmbd/smb2misc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 7ed266eb6c5e..541b39b7a84b 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -338,6 +338,9 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) if (check_smb2_hdr(hdr)) return 1; + if (len < sizeof(struct smb2_pdu) - 4) + return 1;when only this patch is applied, how can you guarantee that session id and tree id of smb2 header are vaild ?
what do you mean? This just checks the actual packet lenght is large enough to access the header and the body lenght field.
-slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
