Skip to content

Commit c6cd2e8

Browse files
namjaejeonSteve French
namjaejeon
authored and
Steve French
committed
ksmbd: fix potencial out-of-bounds when buffer offset is invalid
I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent a80a486 commit c6cd2e8

File tree

2 files changed

+42
-29
lines changed

2 files changed

+42
-29
lines changed

fs/smb/server/smb2misc.c

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,9 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
101101
*len = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferLength);
102102
break;
103103
case SMB2_TREE_CONNECT:
104-
*off = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathOffset);
104+
*off = max_t(unsigned short int,
105+
le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathOffset),
106+
offsetof(struct smb2_tree_connect_req, Buffer));
105107
*len = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathLength);
106108
break;
107109
case SMB2_CREATE:
@@ -110,7 +112,6 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
110112
max_t(unsigned short int,
111113
le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset),
112114
offsetof(struct smb2_create_req, Buffer));
113-
114115
unsigned short int name_len =
115116
le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);
116117

@@ -131,11 +132,15 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
131132
break;
132133
}
133134
case SMB2_QUERY_INFO:
134-
*off = le16_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferOffset);
135+
*off = max_t(unsigned int,
136+
le16_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferOffset),
137+
offsetof(struct smb2_query_info_req, Buffer));
135138
*len = le32_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferLength);
136139
break;
137140
case SMB2_SET_INFO:
138-
*off = le16_to_cpu(((struct smb2_set_info_req *)hdr)->BufferOffset);
141+
*off = max_t(unsigned int,
142+
le16_to_cpu(((struct smb2_set_info_req *)hdr)->BufferOffset),
143+
offsetof(struct smb2_set_info_req, Buffer));
139144
*len = le32_to_cpu(((struct smb2_set_info_req *)hdr)->BufferLength);
140145
break;
141146
case SMB2_READ:
@@ -145,7 +150,7 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
145150
case SMB2_WRITE:
146151
if (((struct smb2_write_req *)hdr)->DataOffset ||
147152
((struct smb2_write_req *)hdr)->Length) {
148-
*off = max_t(unsigned int,
153+
*off = max_t(unsigned short int,
149154
le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset),
150155
offsetof(struct smb2_write_req, Buffer));
151156
*len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length);
@@ -156,7 +161,9 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
156161
*len = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoLength);
157162
break;
158163
case SMB2_QUERY_DIRECTORY:
159-
*off = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameOffset);
164+
*off = max_t(unsigned short int,
165+
le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameOffset),
166+
offsetof(struct smb2_query_directory_req, Buffer));
160167
*len = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameLength);
161168
break;
162169
case SMB2_LOCK:
@@ -171,7 +178,9 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
171178
break;
172179
}
173180
case SMB2_IOCTL:
174-
*off = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset);
181+
*off = max_t(unsigned int,
182+
le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset),
183+
offsetof(struct smb2_ioctl_req, Buffer));
175184
*len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount);
176185
break;
177186
default:

fs/smb/server/smb2pdu.c

Lines changed: 26 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1927,7 +1927,7 @@ int smb2_tree_connect(struct ksmbd_work *work)
19271927

19281928
WORK_BUFFERS(work, req, rsp);
19291929

1930-
treename = smb_strndup_from_utf16(req->Buffer,
1930+
treename = smb_strndup_from_utf16((char *)req + le16_to_cpu(req->PathOffset),
19311931
le16_to_cpu(req->PathLength), true,
19321932
conn->local_nls);
19331933
if (IS_ERR(treename)) {
@@ -2840,7 +2840,7 @@ int smb2_open(struct ksmbd_work *work)
28402840
goto err_out2;
28412841
}
28422842

2843-
name = smb2_get_name(req->Buffer,
2843+
name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset),
28442844
le16_to_cpu(req->NameLength),
28452845
work->conn->local_nls);
28462846
if (IS_ERR(name)) {
@@ -4305,7 +4305,7 @@ int smb2_query_dir(struct ksmbd_work *work)
43054305
}
43064306

43074307
srch_flag = req->Flags;
4308-
srch_ptr = smb_strndup_from_utf16(req->Buffer,
4308+
srch_ptr = smb_strndup_from_utf16((char *)req + le16_to_cpu(req->FileNameOffset),
43094309
le16_to_cpu(req->FileNameLength), 1,
43104310
conn->local_nls);
43114311
if (IS_ERR(srch_ptr)) {
@@ -4565,7 +4565,8 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp,
45654565
sizeof(struct smb2_ea_info_req))
45664566
return -EINVAL;
45674567

4568-
ea_req = (struct smb2_ea_info_req *)req->Buffer;
4568+
ea_req = (struct smb2_ea_info_req *)((char *)req +
4569+
le16_to_cpu(req->InputBufferOffset));
45694570
} else {
45704571
/* need to send all EAs, if no specific EA is requested*/
45714572
if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY)
@@ -6211,38 +6212,39 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
62116212
struct ksmbd_share_config *share)
62126213
{
62136214
unsigned int buf_len = le32_to_cpu(req->BufferLength);
6215+
char *buffer = (char *)req + le16_to_cpu(req->BufferOffset);
62146216

62156217
switch (req->FileInfoClass) {
62166218
case FILE_BASIC_INFORMATION:
62176219
{
62186220
if (buf_len < sizeof(struct smb2_file_basic_info))
62196221
return -EINVAL;
62206222

6221-
return set_file_basic_info(fp, (struct smb2_file_basic_info *)req->Buffer, share);
6223+
return set_file_basic_info(fp, (struct smb2_file_basic_info *)buffer, share);
62226224
}
62236225
case FILE_ALLOCATION_INFORMATION:
62246226
{
62256227
if (buf_len < sizeof(struct smb2_file_alloc_info))
62266228
return -EINVAL;
62276229

62286230
return set_file_allocation_info(work, fp,
6229-
(struct smb2_file_alloc_info *)req->Buffer);
6231+
(struct smb2_file_alloc_info *)buffer);
62306232
}
62316233
case FILE_END_OF_FILE_INFORMATION:
62326234
{
62336235
if (buf_len < sizeof(struct smb2_file_eof_info))
62346236
return -EINVAL;
62356237

62366238
return set_end_of_file_info(work, fp,
6237-
(struct smb2_file_eof_info *)req->Buffer);
6239+
(struct smb2_file_eof_info *)buffer);
62386240
}
62396241
case FILE_RENAME_INFORMATION:
62406242
{
62416243
if (buf_len < sizeof(struct smb2_file_rename_info))
62426244
return -EINVAL;
62436245

62446246
return set_rename_info(work, fp,
6245-
(struct smb2_file_rename_info *)req->Buffer,
6247+
(struct smb2_file_rename_info *)buffer,
62466248
buf_len);
62476249
}
62486250
case FILE_LINK_INFORMATION:
@@ -6251,7 +6253,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
62516253
return -EINVAL;
62526254

62536255
return smb2_create_link(work, work->tcon->share_conf,
6254-
(struct smb2_file_link_info *)req->Buffer,
6256+
(struct smb2_file_link_info *)buffer,
62556257
buf_len, fp->filp,
62566258
work->conn->local_nls);
62576259
}
@@ -6261,7 +6263,7 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
62616263
return -EINVAL;
62626264

62636265
return set_file_disposition_info(fp,
6264-
(struct smb2_file_disposition_info *)req->Buffer);
6266+
(struct smb2_file_disposition_info *)buffer);
62656267
}
62666268
case FILE_FULL_EA_INFORMATION:
62676269
{
@@ -6274,22 +6276,22 @@ static int smb2_set_info_file(struct ksmbd_work *work, struct ksmbd_file *fp,
62746276
if (buf_len < sizeof(struct smb2_ea_info))
62756277
return -EINVAL;
62766278

6277-
return smb2_set_ea((struct smb2_ea_info *)req->Buffer,
6279+
return smb2_set_ea((struct smb2_ea_info *)buffer,
62786280
buf_len, &fp->filp->f_path, true);
62796281
}
62806282
case FILE_POSITION_INFORMATION:
62816283
{
62826284
if (buf_len < sizeof(struct smb2_file_pos_info))
62836285
return -EINVAL;
62846286

6285-
return set_file_position_info(fp, (struct smb2_file_pos_info *)req->Buffer);
6287+
return set_file_position_info(fp, (struct smb2_file_pos_info *)buffer);
62866288
}
62876289
case FILE_MODE_INFORMATION:
62886290
{
62896291
if (buf_len < sizeof(struct smb2_file_mode_info))
62906292
return -EINVAL;
62916293

6292-
return set_file_mode_info(fp, (struct smb2_file_mode_info *)req->Buffer);
6294+
return set_file_mode_info(fp, (struct smb2_file_mode_info *)buffer);
62936295
}
62946296
}
62956297

@@ -6370,7 +6372,7 @@ int smb2_set_info(struct ksmbd_work *work)
63706372
}
63716373
rc = smb2_set_info_sec(fp,
63726374
le32_to_cpu(req->AdditionalInformation),
6373-
req->Buffer,
6375+
(char *)req + le16_to_cpu(req->BufferOffset),
63746376
le32_to_cpu(req->BufferLength));
63756377
ksmbd_revert_fsids(work);
63766378
break;
@@ -7816,7 +7818,7 @@ static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id,
78167818
struct smb2_ioctl_rsp *rsp)
78177819
{
78187820
struct ksmbd_rpc_command *rpc_resp;
7819-
char *data_buf = (char *)&req->Buffer[0];
7821+
char *data_buf = (char *)req + le32_to_cpu(req->InputOffset);
78207822
int nbytes = 0;
78217823

78227824
rpc_resp = ksmbd_rpc_ioctl(work->sess, id, data_buf,
@@ -7929,6 +7931,7 @@ int smb2_ioctl(struct ksmbd_work *work)
79297931
u64 id = KSMBD_NO_FID;
79307932
struct ksmbd_conn *conn = work->conn;
79317933
int ret = 0;
7934+
char *buffer;
79327935

79337936
if (work->next_smb2_rcv_hdr_off) {
79347937
req = ksmbd_req_buf_next(work);
@@ -7951,6 +7954,8 @@ int smb2_ioctl(struct ksmbd_work *work)
79517954
goto out;
79527955
}
79537956

7957+
buffer = (char *)req + le32_to_cpu(req->InputOffset);
7958+
79547959
cnt_code = le32_to_cpu(req->CtlCode);
79557960
ret = smb2_calc_max_out_buf_len(work, 48,
79567961
le32_to_cpu(req->MaxOutputResponse));
@@ -8008,7 +8013,7 @@ int smb2_ioctl(struct ksmbd_work *work)
80088013
}
80098014

80108015
ret = fsctl_validate_negotiate_info(conn,
8011-
(struct validate_negotiate_info_req *)&req->Buffer[0],
8016+
(struct validate_negotiate_info_req *)buffer,
80128017
(struct validate_negotiate_info_rsp *)&rsp->Buffer[0],
80138018
in_buf_len);
80148019
if (ret < 0)
@@ -8061,7 +8066,7 @@ int smb2_ioctl(struct ksmbd_work *work)
80618066
rsp->VolatileFileId = req->VolatileFileId;
80628067
rsp->PersistentFileId = req->PersistentFileId;
80638068
fsctl_copychunk(work,
8064-
(struct copychunk_ioctl_req *)&req->Buffer[0],
8069+
(struct copychunk_ioctl_req *)buffer,
80658070
le32_to_cpu(req->CtlCode),
80668071
le32_to_cpu(req->InputCount),
80678072
req->VolatileFileId,
@@ -8074,8 +8079,7 @@ int smb2_ioctl(struct ksmbd_work *work)
80748079
goto out;
80758080
}
80768081

8077-
ret = fsctl_set_sparse(work, id,
8078-
(struct file_sparse *)&req->Buffer[0]);
8082+
ret = fsctl_set_sparse(work, id, (struct file_sparse *)buffer);
80798083
if (ret < 0)
80808084
goto out;
80818085
break;
@@ -8098,7 +8102,7 @@ int smb2_ioctl(struct ksmbd_work *work)
80988102
}
80998103

81008104
zero_data =
8101-
(struct file_zero_data_information *)&req->Buffer[0];
8105+
(struct file_zero_data_information *)buffer;
81028106

81038107
off = le64_to_cpu(zero_data->FileOffset);
81048108
bfz = le64_to_cpu(zero_data->BeyondFinalZero);
@@ -8129,7 +8133,7 @@ int smb2_ioctl(struct ksmbd_work *work)
81298133
}
81308134

81318135
ret = fsctl_query_allocated_ranges(work, id,
8132-
(struct file_allocated_range_buffer *)&req->Buffer[0],
8136+
(struct file_allocated_range_buffer *)buffer,
81338137
(struct file_allocated_range_buffer *)&rsp->Buffer[0],
81348138
out_buf_len /
81358139
sizeof(struct file_allocated_range_buffer), &nbytes);
@@ -8173,7 +8177,7 @@ int smb2_ioctl(struct ksmbd_work *work)
81738177
goto out;
81748178
}
81758179

8176-
dup_ext = (struct duplicate_extents_to_file *)&req->Buffer[0];
8180+
dup_ext = (struct duplicate_extents_to_file *)buffer;
81778181

81788182
fp_in = ksmbd_lookup_fd_slow(work, dup_ext->VolatileFileHandle,
81798183
dup_ext->PersistentFileHandle);

0 commit comments

Comments
 (0)