This is a note to let you know that I've just added the patch titled
ksmbd: do not allow the actual frame length to be smaller than the rfc1002 length
to the 6.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ksmbd-do-not-allow-the-actual-frame-length-to-be-smaller-than-the-rfc1002-length.patch
and it can be found in the queue-6.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From fb533473d1595fe79ecb528fda1de33552b07178 Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Sat, 11 Feb 2023 00:27:34 +0900
Subject: ksmbd: do not allow the actual frame length to be smaller than the rfc1002 length
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
commit fb533473d1595fe79ecb528fda1de33552b07178 upstream.
ksmbd allowed the actual frame length to be smaller than the rfc1002
length. If allowed, it is possible to allocates a large amount of memory
that can be limited by credit management and can eventually cause memory
exhaustion problem. This patch do not allow it except SMB2 Negotiate
request which will be validated when message handling proceeds.
Also, Allow a message that padded to 8byte boundary.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ksmbd/smb2misc.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -408,20 +408,19 @@ int ksmbd_smb2_check_message(struct ksmb
goto validate_credit;
/*
- * windows client also pad up to 8 bytes when compounding.
- * If pad is longer than eight bytes, log the server behavior
- * (once), since may indicate a problem but allow it and
- * continue since the frame is parseable.
+ * SMB2 NEGOTIATE request will be validated when message
+ * handling proceeds.
*/
- if (clc_len < len) {
- ksmbd_debug(SMB,
- "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n",
- len, clc_len, command,
- le64_to_cpu(hdr->MessageId));
+ if (command == SMB2_NEGOTIATE_HE)
goto validate_credit;
- }
- ksmbd_debug(SMB,
+ /*
+ * Allow a message that padded to 8byte boundary.
+ */
+ if (clc_len < len && (len - clc_len) < 8)
+ goto validate_credit;
+
+ pr_err_ratelimited(
"cli req too short, len %d not %d. cmd:%d mid:%llu\n",
len, clc_len, command,
le64_to_cpu(hdr->MessageId));
Patches currently in stable-queue which might be from linkinjeon@xxxxxxxxxx are
queue-6.2/ksmbd-fix-possible-memory-leak-in-smb2_lock.patch
queue-6.2/ksmbd-do-not-allow-the-actual-frame-length-to-be-smaller-than-the-rfc1002-length.patch
queue-6.2/cifs-don-t-try-to-use-rdma-offload-on-encrypted-connections.patch
queue-6.2/ksmbd-fix-wrong-data-area-length-for-smb2-lock-request.patch
queue-6.2/cifs-introduce-cifs_io_parms-in-smb2_async_writev.patch
queue-6.2/cifs-split-out-smb3_use_rdma_offload-helper.patch
