2022-09-24 19:52 GMT+09:00, Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>:
> The structure size includes 4 dialect slots, but the protocol does not
> require the client to send all 4. So this allows the negotiation to not
> fail.
This comment is a bit vague.
You need to add the description to validate DialectCount before
calling fsctl_validate_negotiate_info(). Because there is the check
using DialectCount
in this function, so we have to validate it first.
>
> Also when the {in, out}_buf_len is less than the required, should goto
> out to initialize the status in the response header.
>
> Fixes: f7db8fd03a4bc ("ksmbd: add validation in smb2_ioctl")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
> ---
> fs/ksmbd/smb2pdu.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
> index 15c487aa19ad..d8ef50530a73 100644
> --- a/fs/ksmbd/smb2pdu.c
> +++ b/fs/ksmbd/smb2pdu.c
> @@ -7638,11 +7638,16 @@ int smb2_ioctl(struct ksmbd_work *work)
> goto out;
> }
>
> - if (in_buf_len < sizeof(struct validate_negotiate_info_req))
> - return -EINVAL;
> + if (in_buf_len < offsetof(struct validate_negotiate_info_req,
> + Dialects[1])) {
Why did you change it from v6? v6 is the correct fix...
> + ret = -EINVAL;
> + goto out;
> + }
>
> - if (out_buf_len < sizeof(struct validate_negotiate_info_rsp))
> - return -EINVAL;
> + if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) {
> + ret = -EINVAL;
> + goto out;
> + }
>
> ret = fsctl_validate_negotiate_info(conn,
> (struct validate_negotiate_info_req *)&req->Buffer[0],
> --
> 2.31.1
>
>
