Patch "ksmbd: Fix wrong return value and message length check in smb2_ioctl()" has been added to the 5.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 16 Oct 2022 14:31:27 +0200

This is a note to let you know that I've just added the patch titled

    ksmbd: Fix wrong return value and message length check in smb2_ioctl()

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From b1763d265af62800ec96eeb79803c4c537dcef3a Mon Sep 17 00:00:00 2001
From: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
Date: Mon, 26 Sep 2022 11:36:30 +0800
Subject: ksmbd: Fix wrong return value and message length check in smb2_ioctl()

From: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>

commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream.

Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock
break, and move its struct to smbfs_common") use the defination
of 'struct validate_negotiate_info_req' in smbfs_common, the
array length of 'Dialects' changed from 1 to 4, but the protocol
does not require the client to send all 4. This lead the request
which satisfied with protocol and server to fail.

So just ensure the request payload has the 'DialectCount' in
smb2_ioctl(), then fsctl_validate_negotiate_info() will use it
to validate the payload length and each dialect.

Also when the {in, out}_buf_len is less than the required, should
goto out to initialize the status in the response header.

Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/ksmbd/smb2pdu.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7627,11 +7627,16 @@ int smb2_ioctl(struct ksmbd_work *work)
 			goto out;
 		}
 
-		if (in_buf_len < sizeof(struct validate_negotiate_info_req))
-			return -EINVAL;
+		if (in_buf_len < offsetof(struct validate_negotiate_info_req,
+					  Dialects)) {
+			ret = -EINVAL;
+			goto out;
+		}
 
-		if (out_buf_len < sizeof(struct validate_negotiate_info_rsp))
-			return -EINVAL;
+		if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) {
+			ret = -EINVAL;
+			goto out;
+		}
 
 		ret = fsctl_validate_negotiate_info(conn,
 			(struct validate_negotiate_info_req *)&req->Buffer[0],


Patches currently in stable-queue which might be from zhangxiaoxu5@xxxxxxxxxx are

queue-5.19/ksmbd-fix-wrong-return-value-and-message-length-check-in-smb2_ioctl.patch
queue-5.19/cifs-fix-the-error-length-of-validate_negotiate_info-message.patch






