On Mon, Jan 08, 2024 at 11:52:45AM -0300, Paulo Alcantara wrote:
> Hi Jan,
>
> Thanks for the report.
>
> So this bug is related to an off-by-one in smb2_set_next_command() when
> the client attempts to pad SMB2_QUERY_INFO request -- since it isn't 8 byte
> aligned -- even though smb2_query_info_compound() doesn't provide an extra
> iov for such padding.
>
> v6.1.y doesn't have
>
> eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
>
> and the commit does
>
> + if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
> + len > CIFSMaxBufSize))
> + return -EINVAL;
> +
>
> so sizeof(*req) will wrongly include the extra byte from
> smb2_query_info_req::Buffer making @len unaligned and therefore causing
> OOB in smb2_set_next_command().
>
> A simple fix for that would be
>
> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> index 05ff8a457a3d..aed5067661de 100644
> --- a/fs/smb/client/smb2pdu.c
> +++ b/fs/smb/client/smb2pdu.c
> @@ -3556,7 +3556,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
>
> iov[0].iov_base = (char *)req;
> /* 1 for Buffer */
> - iov[0].iov_len = len;
> + iov[0].iov_len = len - 1;
> return 0;
> }
>
Why can't we just include eb3e28c1e89b ("smb3: Replace smb2pdu 1-element
arrays with flex-arrays") to resolve this?
I've queued it up now.
thanks,
greg k-h
