Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3091122rwb; Mon, 15 Aug 2022 17:54:42 -0700 (PDT) X-Google-Smtp-Source: AA6agR7E149H9ZBp25eLAagfZY7S5tQv7GYFdErMEA1RxBjH17HklienUDLVYVUK5kMoMYROKaT7 X-Received: by 2002:a17:907:6e14:b0:730:a229:f747 with SMTP id sd20-20020a1709076e1400b00730a229f747mr12456913ejc.202.1660611282123; Mon, 15 Aug 2022 17:54:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660611282; cv=none; d=google.com; s=arc-20160816; b=u9v6gvi7VDd6IxiyB9fmZ6U2i/cUt95EKtbEDdbq8+aPoIqNByGL6SyPjzzuKZu+hZ gxmpgb0nkzhRB4oCF6Rbw5Z1/uhSY0LPSM9v81j7QXUAfxKf2PjHKftu2Ux3SU3NYXW4 4hZ+YyBqNNtPAhVLWx8eog44M2LgJvauTvhPBnpM2XWeOlQ/hmuA8vH+WqUrtm3Nih8u ZhkL8z8Xegp65SEZFBE3zsBviLn+jq/NasTImc0NN7BOdjx825k+oMUMgT8/pqHdDhPA Exb4kOeLkzfNvw8ObuD3Vub/Ipe41FdIdPJccZi3TTRwRQVgVVxdv6lEbYt13Jb9SnCP 1GjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZaPCe/K3J6/3QWdyJItKZ/V010m0x7g5CzM9GjMkglE=; b=nrkRJyJov3lQFa/hZzHf/4jkoJe9mler8B5JmPiVcSdKm0aJQAG/wbpJDa1s3tfEv/ hVbaZ+4vmrzU7jl30HN4epqJhDifAoiUwX+aDYr9ffBLt9orFLFRnM044BiK0A8DS50s PHVdz7uu2h31+kN9gEQPbZaOIbBuvWBIYTu8Gqzu8tMPujmqtNxHfq/K6GBZWV0m2o1F o/gt0XecIU7tUJbQAbuxSUFzgNYIfZT2rPBQEhmwgLDkGi3evh8rfCtepJFQBC2wXYHA 3pZJJJ9Z7GR3zXEDfNIQBZ/DzeNFkMj1eQen0pibhQ2243ke021XB6bM7RI4LlRRiukK V1Lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QGB5Vn5D; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hz3-20020a1709072ce300b00730ad9d5b21si10087666ejc.376.2022.08.15.17.54.16; Mon, 15 Aug 2022 17:54:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QGB5Vn5D; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344063AbiHOXfE (ORCPT + 99 others); Mon, 15 Aug 2022 19:35:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353413AbiHOX2L (ORCPT ); Mon, 15 Aug 2022 19:28:11 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C66AE14E12B; Mon, 15 Aug 2022 13:07:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CBA15B81158; Mon, 15 Aug 2022 20:07:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D359C433B5; Mon, 15 Aug 2022 20:07:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660594052; bh=RxDjTeYo2nNQwW/9yi+9WMD7splED4n7H/+zLWc2KMo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QGB5Vn5DjwfOEN/QaAPcP5QcUDf4F0kncXszJkg1gkvIOZToITgqXCjHDG3FSqhml vOJbt2JEb4RWEOt5wHJ+KqZcIZrVkH/S7dcDECESMz7OyOnmOlYvLmTZNbxfeO7e1V 1EralQvYF1zSH4sXpUzkhoroof7UUcEW1GI6gX14= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marios Makassikis , Namjae Jeon , Steve French , Sasha Levin Subject: [PATCH 5.18 1048/1095] ksmbd: validate length in smb2_write() Date: Mon, 15 Aug 2022 20:07:27 +0200 Message-Id: <20220815180512.428425284@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marios Makassikis [ Upstream commit 158a66b245739e15858de42c0ba60fcf3de9b8e6 ] The SMB2 Write packet contains data that is to be written to a file or to a pipe. Depending on the client, there may be padding between the header and the data field. Currently, the length is validated only in the case padding is present. Since the DataOffset field always points to the beginning of the data, there is no need to have a special case for padding. By removing this, the length is validated in both cases. Signed-off-by: Marios Makassikis Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin --- fs/ksmbd/smb2pdu.c | 49 +++++++++++++++++++------------------------------ 1 file changed, 19 insertions(+), 30 deletions(-) --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -6344,23 +6344,18 @@ static noinline int smb2_write_pipe(stru length = le32_to_cpu(req->Length); id = req->VolatileFileId; - if (le16_to_cpu(req->DataOffset) == - offsetof(struct smb2_write_req, Buffer)) { - data_buf = (char *)&req->Buffer[0]; - } else { - if ((u64)le16_to_cpu(req->DataOffset) + length > - get_rfc1002_len(work->request_buf)) { - pr_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), - get_rfc1002_len(work->request_buf)); - err = -EINVAL; - goto out; - } - - data_buf = (char *)(((char *)&req->hdr.ProtocolId) + - le16_to_cpu(req->DataOffset)); + if ((u64)le16_to_cpu(req->DataOffset) + length > + get_rfc1002_len(work->request_buf)) { + pr_err("invalid write data offset %u, smb_len %u\n", + le16_to_cpu(req->DataOffset), + get_rfc1002_len(work->request_buf)); + err = -EINVAL; + goto out; } + data_buf = (char *)(((char *)&req->hdr.ProtocolId) + + le16_to_cpu(req->DataOffset)); + rpc_resp = ksmbd_rpc_write(work->sess, id, data_buf, length); if (rpc_resp) { if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) { @@ -6505,22 +6500,16 @@ int smb2_write(struct ksmbd_work *work) if (req->Channel != SMB2_CHANNEL_RDMA_V1 && req->Channel != SMB2_CHANNEL_RDMA_V1_INVALIDATE) { - if (le16_to_cpu(req->DataOffset) == - offsetof(struct smb2_write_req, Buffer)) { - data_buf = (char *)&req->Buffer[0]; - } else { - if ((u64)le16_to_cpu(req->DataOffset) + length > - get_rfc1002_len(work->request_buf)) { - pr_err("invalid write data offset %u, smb_len %u\n", - le16_to_cpu(req->DataOffset), - get_rfc1002_len(work->request_buf)); - err = -EINVAL; - goto out; - } - - data_buf = (char *)(((char *)&req->hdr.ProtocolId) + - le16_to_cpu(req->DataOffset)); + if ((u64)le16_to_cpu(req->DataOffset) + length > + get_rfc1002_len(work->request_buf)) { + pr_err("invalid write data offset %u, smb_len %u\n", + le16_to_cpu(req->DataOffset), + get_rfc1002_len(work->request_buf)); + err = -EINVAL; + goto out; } + data_buf = (char *)(((char *)&req->hdr.ProtocolId) + + le16_to_cpu(req->DataOffset)); ksmbd_debug(SMB, "flags %u\n", le32_to_cpu(req->Flags)); if (le32_to_cpu(req->Flags) & SMB2_WRITEFLAG_WRITE_THROUGH)