Patch "ksmbd: validate the zero field of packet header" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    ksmbd: validate the zero field of packet header

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-validate-the-zero-field-of-packet-header.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 86a0e914f0f817bd1ebae67325f37dcf735feb5e
Author: Li Nan <linan122@xxxxxxxxxx>
Date:   Fri Dec 8 14:56:47 2023 +0800

    ksmbd: validate the zero field of packet header
    
    [ Upstream commit 516b3eb8c8065f7465f87608d37a7ed08298c7a5 ]
    
    The SMB2 Protocol requires that "The first byte of the Direct TCP
    transport packet header MUST be zero (0x00)"[1]. Commit 1c1bcf2d3ea0
    ("ksmbd: validate smb request protocol id") removed the validation of
    this 1-byte zero. Add the validation back now.
    
    [1]: [MS-SMB2] - v20230227, page 30.
    https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SMB2/%5bMS-SMB2%5d-230227.pdf
    
    Fixes: 1c1bcf2d3ea0 ("ksmbd: validate smb request protocol id")
    Signed-off-by: Li Nan <linan122@xxxxxxxxxx>
    Acked-by: Tom Talpey <tom@xxxxxxxxxx>
    Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c
index 6691ae68af0c..7c98bf699772 100644
--- a/fs/smb/server/smb_common.c
+++ b/fs/smb/server/smb_common.c
@@ -158,8 +158,12 @@ int ksmbd_verify_smb_message(struct ksmbd_work *work)
  */
 bool ksmbd_smb_request(struct ksmbd_conn *conn)
 {
-	__le32 *proto = (__le32 *)smb2_get_msg(conn->request_buf);
+	__le32 *proto;
 
+	if (conn->request_buf[0] != 0)
+		return false;
+
+	proto = (__le32 *)smb2_get_msg(conn->request_buf);
 	if (*proto == SMB2_COMPRESSION_TRANSFORM_ID) {
 		pr_err_ratelimited("smb2 compression not support yet");
 		return false;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux