Re: [PATCH 1/2] ksmbd: do not allow the actual frame length to be smaller than the rfc10024 length

Namjae Jeon <linkinjeon@xxxxxxxxxx> · Fri, 10 Feb 2023 10:14:36 +0900



2023-02-10 8:48 GMT+09:00, Steve French <smfrench@xxxxxxxxx>:
> typically rounding up to 8 byte boundary would be logical to allow
okay, Will update it on v2.

Thanks!
>
> On Wed, Feb 8, 2023 at 3:41 AM Namjae Jeon <linkinjeon@xxxxxxxxxx> wrote:
>>
>> ksmbd allowed the actual frame length to be smaller than the rfc1002
>> length. If allowed, it is possible to allocates a large amount of memory
>> that can be limited by credit management and can eventually cause memory
>> exhaustion problem. This patch do not allow it except SMB2 Negotiate
>> request which will be validated when message handling proceeds.
>> Also, cifs client pad smb2 tree connect to 2bytes.
>>
>> Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
>> ---
>>  fs/ksmbd/smb2misc.c | 23 +++++++++++------------
>>  1 file changed, 11 insertions(+), 12 deletions(-)
>>
>> diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
>> index a717aa9b4af8..fc44f08b5939 100644
>> --- a/fs/ksmbd/smb2misc.c
>> +++ b/fs/ksmbd/smb2misc.c
>> @@ -408,20 +408,19 @@ int ksmbd_smb2_check_message(struct ksmbd_work
>> *work)
>>                         goto validate_credit;
>>
>>                 /*
>> -                * windows client also pad up to 8 bytes when
>> compounding.
>> -                * If pad is longer than eight bytes, log the server
>> behavior
>> -                * (once), since may indicate a problem but allow it and
>> -                * continue since the frame is parseable.
>> +                * SMB2 NEGOTIATE request will be validated when message
>> +                * handling proceeds.
>>                  */
>> -               if (clc_len < len) {
>> -                       ksmbd_debug(SMB,
>> -                                   "cli req padded more than expected.
>> Length %d not %d for cmd:%d mid:%llu\n",
>> -                                   len, clc_len, command,
>> -                                   le64_to_cpu(hdr->MessageId));
>> -                       goto validate_credit;
>> -               }
>> +               if (command == SMB2_NEGOTIATE_HE)
>> +                       goto validate_credit;
>> +
>> +               /*
>> +                * cifs client pads smb2 tree connect to 2 bytes.
>> +                */
>> +               if (clc_len + 2 == len)
>> +                       goto validate_credit;
>>
>> -               ksmbd_debug(SMB,
>> +               pr_err_ratelimited(
>>                             "cli req too short, len %d not %d. cmd:%d
>> mid:%llu\n",
>>                             len, clc_len, command,
>>                             le64_to_cpu(hdr->MessageId));
>> --
>> 2.25.1
>>
>
>
> --
> Thanks,
>
> Steve
>