2023-05-18 23:42 GMT+09:00, HexRabbit <h3xrabbit@xxxxxxxxx>:
> From: Kuan-Ting Chen <h3xrabbit@xxxxxxxxx>
>
> Check the remaining data length before accessing the context structure
> to ensure that the entire structure is contained within the packet.
> Additionally, since the context data length `ctxt_len` has already been
> checked against the total packet length `len_of_ctxts`, update the
> comparison to use `ctxt_len`.
>
> Signed-off-by: Kuan-Ting Chen <h3xrabbit@xxxxxxxxx>
> ---
> fs/ksmbd/smb2pdu.c | 52 +++++++++++++++++++++++++++++-----------------
> 1 file changed, 33 insertions(+), 19 deletions(-)
>
> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
> index 972176bff..0285c3f9e 100644
> --- a/fs/ksmbd/smb2pdu.c
> +++ b/fs/ksmbd/smb2pdu.c
> @@ -849,13 +849,13 @@ static void assemble_neg_contexts(struct ksmbd_conn
> *conn,
>
> static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
> struct smb2_preauth_neg_context *pneg_ctxt,
> - int len_of_ctxts)
> + int ctxt_len)
> {
> /*
> * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
> * which may not be present. Only check for used HashAlgorithms[1].
> */
> - if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
> + if (ctxt_len < MIN_PREAUTH_CTXT_DATA_LEN)
if (ctxt_len <
sizeof(struct smb2_neg_context) + MIN_PREAUTH_CTXT_DATA_LEN)
You need to plus sizeof(struct smb2_neg_context) here.
MIN_PREAUTH_CTXT_DATA_LEN accounts for HashAlgorithmCount,
SaltLength, and 1 HashAlgorithm.
> return STATUS_INVALID_PARAMETER;
