Skip to content

Commit

Permalink
ksmbd: validate smb request protocol id
Browse files Browse the repository at this point in the history 
This patch add the validation for smb request protocol id.
If it is not one of the four ids(SMB1_PROTO_NUMBER, SMB2_PROTO_NUMBER,
SMB2_TRANSFORM_PROTO_NUM, SMB2_COMPRESSION_TRANSFORM_ID), don't allow
processing the request. And this will fix the following KASAN warning
also.

[   13.905265] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1b9/0x1f0
[   13.905900] Read of size 16 at addr ffff888005fd2f34 by task kworker/0:2/44
...
[   13.908553] Call Trace:
[   13.908793]  <TASK>
[   13.908995]  dump_stack_lvl+0x33/0x50
[   13.909369]  print_report+0xcc/0x620
[   13.910870]  kasan_report+0xae/0xe0
[   13.911519]  kasan_check_range+0x35/0x1b0
[   13.911796]  init_smb2_rsp_hdr+0x1b9/0x1f0
[   13.912492]  handle_ksmbd_work+0xe5/0x820

Cc: stable@vger.kernel.org
Reported-by: Chih-Yen Chang <cc85nod@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
  • Loading branch information
@namjaejeon
namjaejeon authored and Steve French committed Jun 2, 2023
1 parent 368ba06 commit 1c1bcf2
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 3 deletions.
5 changes: 3 additions & 2 deletions fs/smb/server/connection.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -364,8 +364,6 @@ int ksmbd_conn_handler_loop(void *p)
break;

memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf));
if (!ksmbd_smb_request(conn))
break;

/*
* We already read 4 bytes to find out PDU size, now
Expand All @@ -383,6 +381,9 @@ int ksmbd_conn_handler_loop(void *p)
continue;
}

if (!ksmbd_smb_request(conn))
break;

if (((struct smb2_hdr *)smb2_get_msg(conn->request_buf))->ProtocolId ==
SMB2_PROTO_NUMBER) {
if (pdu_size < SMB2_MIN_SUPPORTED_HEADER_SIZE)
Expand Down
14 changes: 13 additions & 1 deletion fs/smb/server/smb_common.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,19 @@ int ksmbd_verify_smb_message(struct ksmbd_work *work)
*/
bool ksmbd_smb_request(struct ksmbd_conn *conn)
{
return conn->request_buf[0] == 0;
__le32 *proto = (__le32 *)smb2_get_msg(conn->request_buf);

if (*proto == SMB2_COMPRESSION_TRANSFORM_ID) {
pr_err_ratelimited("smb2 compression not support yet");
return false;
}

if (*proto != SMB1_PROTO_NUMBER &&
*proto != SMB2_PROTO_NUMBER &&
*proto != SMB2_TRANSFORM_PROTO_NUM)
return false;

return true;
}

static bool supported_protocol(int idx)
Expand Down

0 comments on commit 1c1bcf2

Please sign in to comment.