On Mon, Oct 18, 2021 at 4:04 PM Namjae Jeon <linkinjeon@xxxxxxxxxx> wrote:
>
> Hi Marios,
> > + negblob_off = le16_to_cpu(req->SecurityBufferOffset);
> > + negblob_len = le16_to_cpu(req->SecurityBufferLength);
> > + if (negblob_off < (offsetof(struct smb2_sess_setup_req, Buffer) - 4))
> > + return -EINVAL;
> Like the following code, negblob is still used without buffer check.
> We need to add buffer check for it here ?
>
> if (negblob->MessageType == NtLmNegotiate) {
>
> } else if (negblob->MessageType == NtLmAuthenticate) {
>
> Thanks!
>
Hello Namjae,
I'm not sure I understand what you mean. Should I change the check to
something like this ?
+ negblob_off = le16_to_cpu(req->SecurityBufferOffset);
+ negblob_len = le16_to_cpu(req->SecurityBufferLength);
+ if (negblob_off < (offsetof(struct smb2_sess_setup_req, Buffer) - 4) ||
+ negblob_len < sizeof(struct negotiate_message))
Marios
> > +
> > negblob = (struct negotiate_message *)((char *)&req->hdr.ProtocolId +
> > - le16_to_cpu(req->SecurityBufferOffset));
> > + negblob_off);
> >
> > - if (decode_negotiation_token(work, negblob) == 0) {
> > + if (decode_negotiation_token(conn, negblob, negblob_len) == 0) {
> > if (conn->mechToken)
> > negblob = (struct negotiate_message *)conn->mechToken;
> > }
> > @@ -1736,7 +1746,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
> > sess->Preauth_HashValue = NULL;
> > } else if (conn->preferred_auth_mech == KSMBD_AUTH_NTLMSSP) {
> > if (negblob->MessageType == NtLmNegotiate) {
> > - rc = ntlm_negotiate(work, negblob);
> > + rc = ntlm_negotiate(work, negblob, negblob_len);
> > if (rc)
> > goto out_err;
> > rsp->hdr.Status =
> > --
> > 2.25.1
> >
> >
