Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag '6.3-rc6-smb311-client-negcontext-fix' of git://git.samba.org/sfrench/cifs-2.6
Pull cifs fix from Steve French:
"Small client fix for better checking for smb311 negotiate context
overflows, also marked for stable"
* tag '6.3-rc6-smb311-client-negcontext-fix' of git://git.samba.org/sfrench/cifs-2.6:
cifs: fix negotiate context parsing
+31
-10
+31
-10
fs/cifs/smb2pdu.c
+31
-10
fs/cifs/smb2pdu.c
···
587
587
588
588
}
589
589
590
+
/* If invalid preauth context warn but use what we requested, SHA-512 */
590
591
static void decode_preauth_context(struct smb2_preauth_neg_context *ctxt)
591
592
{
592
593
unsigned int len = le16_to_cpu(ctxt->DataLength);
593
594
594
-
/* If invalid preauth context warn but use what we requested, SHA-512 */
595
+
/*
596
+
* Caller checked that DataLength remains within SMB boundary. We still
597
+
* need to confirm that one HashAlgorithms member is accounted for.
598
+
*/
595
599
if (len < MIN_PREAUTH_CTXT_DATA_LEN) {
596
600
pr_warn_once("server sent bad preauth context\n");
597
601
return;
···
614
610
{
615
611
unsigned int len = le16_to_cpu(ctxt->DataLength);
616
612
617
-
/* sizeof compress context is a one element compression capbility struct */
613
+
/*
614
+
* Caller checked that DataLength remains within SMB boundary. We still
615
+
* need to confirm that one CompressionAlgorithms member is accounted
616
+
* for.
617
+
*/
618
618
if (len < 10) {
619
619
pr_warn_once("server sent bad compression cntxt\n");
620
620
return;
···
640
632
unsigned int len = le16_to_cpu(ctxt->DataLength);
641
633
642
634
cifs_dbg(FYI, "decode SMB3.11 encryption neg context of len %d\n", len);
635
+
/*
636
+
* Caller checked that DataLength remains within SMB boundary. We still
637
+
* need to confirm that one Cipher flexible array member is accounted
638
+
* for.
639
+
*/
643
640
if (len < MIN_ENCRYPT_CTXT_DATA_LEN) {
644
641
pr_warn_once("server sent bad crypto ctxt len\n");
645
642
return -EINVAL;
···
691
678
{
692
679
unsigned int len = le16_to_cpu(pctxt->DataLength);
693
680
681
+
/*
682
+
* Caller checked that DataLength remains within SMB boundary. We still
683
+
* need to confirm that one SigningAlgorithms flexible array member is
684
+
* accounted for.
685
+
*/
694
686
if ((len < 4) || (len > 16)) {
695
687
pr_warn_once("server sent bad signing negcontext\n");
696
688
return;
···
737
719
for (i = 0; i < ctxt_cnt; i++) {
738
720
int clen;
739
721
/* check that offset is not beyond end of SMB */
740
-
if (len_of_ctxts == 0)
741
-
break;
742
-
743
722
if (len_of_ctxts < sizeof(struct smb2_neg_context))
744
723
break;
745
724
746
725
pctx = (struct smb2_neg_context *)(offset + (char *)rsp);
747
-
clen = le16_to_cpu(pctx->DataLength);
726
+
clen = sizeof(struct smb2_neg_context)
727
+
+ le16_to_cpu(pctx->DataLength);
728
+
/*
729
+
* 2.2.4 SMB2 NEGOTIATE Response
730
+
* Subsequent negotiate contexts MUST appear at the first 8-byte
731
+
* aligned offset following the previous negotiate context.
732
+
*/
733
+
if (i + 1 != ctxt_cnt)
734
+
clen = ALIGN(clen, 8);
748
735
if (clen > len_of_ctxts)
749
736
break;
750
737
···
770
747
else
771
748
cifs_server_dbg(VFS, "unknown negcontext of type %d ignored\n",
772
749
le16_to_cpu(pctx->ContextType));
773
-
774
750
if (rc)
775
751
break;
776
-
/* offsets must be 8 byte aligned */
777
-
clen = ALIGN(clen, 8);
778
-
offset += clen + sizeof(struct smb2_neg_context);
752
+
753
+
offset += clen;
779
754
len_of_ctxts -= clen;
780
755
}
781
756
return rc;