tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag '6.9-rc2-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:
"Three fixes, all also for stable:

- encryption fix

- memory overrun fix

- oplock break fix"

* tag '6.9-rc2-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1
ksmbd: validate payload size in ipc response
ksmbd: don't send oplock break if rename fails

Linus Torvalds 405ac6a5 fae02687

+52 -8
+2 -1
fs/smb/server/ksmbd_netlink.h
··· 167 167 __u16 force_uid; 168 168 __u16 force_gid; 169 169 __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; 170 - __u32 reserved[112]; /* Reserved room */ 170 + __u32 reserved[111]; /* Reserved room */ 171 + __u32 payload_sz; 171 172 __u32 veto_list_sz; 172 173 __s8 ____payload[]; 173 174 };
+6 -1
fs/smb/server/mgmt/share_config.c
··· 158 158 share->name = kstrdup(name, GFP_KERNEL); 159 159 160 160 if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) { 161 - share->path = kstrdup(ksmbd_share_config_path(resp), 161 + int path_len = PATH_MAX; 162 + 163 + if (resp->payload_sz) 164 + path_len = resp->payload_sz - resp->veto_list_sz; 165 + 166 + share->path = kstrndup(ksmbd_share_config_path(resp), path_len, 162 167 GFP_KERNEL); 163 168 if (share->path) 164 169 share->path_sz = strlen(share->path);
+5 -5
fs/smb/server/smb2ops.c
··· 228 228 conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) 229 229 conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; 230 230 231 + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION || 232 + (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) && 233 + conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)) 234 + conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; 235 + 231 236 if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) 232 237 conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; 233 238 } ··· 282 277 if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) 283 278 conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING | 284 279 SMB2_GLOBAL_CAP_DIRECTORY_LEASING; 285 - 286 - if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION || 287 - (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) && 288 - conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)) 289 - conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; 290 280 291 281 if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) 292 282 conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+2 -1
fs/smb/server/smb2pdu.c
··· 5857 5857 if (!file_info->ReplaceIfExists) 5858 5858 flags = RENAME_NOREPLACE; 5859 5859 5860 - smb_break_all_levII_oplock(work, fp, 0); 5861 5860 rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags); 5861 + if (!rc) 5862 + smb_break_all_levII_oplock(work, fp, 0); 5862 5863 out: 5863 5864 kfree(new_name); 5864 5865 return rc;
+37
fs/smb/server/transport_ipc.c
··· 65 65 struct hlist_node ipc_table_hlist; 66 66 67 67 void *response; 68 + unsigned int msg_sz; 68 69 }; 69 70 70 71 static struct delayed_work ipc_timer_work; ··· 276 275 } 277 276 278 277 memcpy(entry->response, payload, sz); 278 + entry->msg_sz = sz; 279 279 wake_up_interruptible(&entry->wait); 280 280 ret = 0; 281 281 break; ··· 455 453 return ret; 456 454 } 457 455 456 + static int ipc_validate_msg(struct ipc_msg_table_entry *entry) 457 + { 458 + unsigned int msg_sz = entry->msg_sz; 459 + 460 + if (entry->type == KSMBD_EVENT_RPC_REQUEST) { 461 + struct ksmbd_rpc_command *resp = entry->response; 462 + 463 + msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz; 464 + } else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) { 465 + struct ksmbd_spnego_authen_response *resp = entry->response; 466 + 467 + msg_sz = sizeof(struct ksmbd_spnego_authen_response) + 468 + resp->session_key_len + resp->spnego_blob_len; 469 + } else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) { 470 + struct ksmbd_share_config_response *resp = entry->response; 471 + 472 + if (resp->payload_sz) { 473 + if (resp->payload_sz < resp->veto_list_sz) 474 + return -EINVAL; 475 + 476 + msg_sz = sizeof(struct ksmbd_share_config_response) + 477 + resp->payload_sz; 478 + } 479 + } 480 + 481 + return entry->msg_sz != msg_sz ? -EINVAL : 0; 482 + } 483 + 458 484 static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle) 459 485 { 460 486 struct ipc_msg_table_entry entry; ··· 507 477 ret = wait_event_interruptible_timeout(entry.wait, 508 478 entry.response != NULL, 509 479 IPC_WAIT_TIMEOUT); 480 + if (entry.response) { 481 + ret = ipc_validate_msg(&entry); 482 + if (ret) { 483 + kvfree(entry.response); 484 + entry.response = NULL; 485 + } 486 + } 510 487 out: 511 488 down_write(&ipc_msg_table_lock); 512 489 hash_del(&entry.ipc_table_hlist);