Re: [PATCH v2 5/6] cifs: Validate content of native symlink

Pali Rohár <pali@xxxxxxxxxx> · Mon, 14 Oct 2024 11:39:49 +0200

On Saturday 12 October 2024 23:21:43 Steve French wrote:
> This looks like one of the more important of the fixes of this series
> - let me know if any thoughts or Reviewed-by/Acked-by on it.  I may
> try to send this earlier than the others
> 
> Pali,
> Let me know if I missed dependencies that this patch depends on

This one should be fine. I do not see any dependency for this change.

> On Sat, Oct 5, 2024 at 9:03 AM Pali Rohár <pali@xxxxxxxxxx> wrote:
> >
> > Check that path buffer has correct length (it is non-zero and in UNICODE
> > mode it has even number of bytes) and check that buffer does not contain
> > null character (UTF-16 null codepoint in UNICODE mode or null byte in
> > non-unicode mode) because Linux cannot process symlink with null byte.
> >
> > Signed-off-by: Pali Rohár <pali@xxxxxxxxxx>
> > ---
> >  fs/smb/client/reparse.c | 19 +++++++++++++++++++
> >  1 file changed, 19 insertions(+)
> >
> > diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
> > index 0d1cea64ab6e..fb1d16b17f38 100644
> > --- a/fs/smb/client/reparse.c
> > +++ b/fs/smb/client/reparse.c
> > @@ -544,6 +544,25 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
> >         int rc;
> >         int i;
> >
> > +       /* Check that length it valid for unicode/non-unicode mode */
> > +       if (!len || (unicode && (len % 2))) {
> > +               cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
> > +               rc = -EIO;
> > +               goto out;
> > +       }
> > +
> > +       /*
> > +        * Check that buffer does not contain UTF-16 null codepoint in unicode
> > +        * mode or null byte in non-unicode mode because Linux cannot process
> > +        * symlink with null byte.
> > +        */
> > +       if ((unicode && UniStrnlen((wchar_t *)buf, len/2) != len/2) ||
> > +           (!unicode && strnlen(buf, len) != len)) {
> > +               cifs_dbg(VFS, "srv returned null byte in native symlink target location\n");
> > +               rc = -EIO;
> > +               goto out;
> > +       }
> > +
> >         smb_target = cifs_strndup_from_utf16(buf, len, unicode, cifs_sb->local_nls);
> >         if (!smb_target) {
> >                 rc = -ENOMEM;
> > --
> > 2.20.1
> >
> >
> 
> 
> -- 
> Thanks,
> 
> Steve