Hi Marios,
> + negblob_off = le16_to_cpu(req->SecurityBufferOffset);
> + negblob_len = le16_to_cpu(req->SecurityBufferLength);
> + if (negblob_off < (offsetof(struct smb2_sess_setup_req, Buffer) - 4))
> + return -EINVAL;
Like the following code, negblob is still used without buffer check.
We need to add buffer check for it here ?
if (negblob->MessageType == NtLmNegotiate) {
} else if (negblob->MessageType == NtLmAuthenticate) {
Thanks!
> +
> negblob = (struct negotiate_message *)((char *)&req->hdr.ProtocolId +
> - le16_to_cpu(req->SecurityBufferOffset));
> + negblob_off);
>
> - if (decode_negotiation_token(work, negblob) == 0) {
> + if (decode_negotiation_token(conn, negblob, negblob_len) == 0) {
> if (conn->mechToken)
> negblob = (struct negotiate_message *)conn->mechToken;
> }
> @@ -1736,7 +1746,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
> sess->Preauth_HashValue = NULL;
> } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) {
> if (negblob->MessageType == NtLmNegotiate) {
> - rc = ntlm_negotiate(work, negblob);
> + rc = ntlm_negotiate(work, negblob, negblob_len);
> if (rc)
> goto out_err;
> rsp->hdr.Status =
> --
> 2.25.1
>
>
