Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'v6.19-rc2-smb3-server-fixes' of git://git.samba.org/ksmbd
Pull smb server fixes from Steve French:
- Fix parsing of SMB1 negotiate request by adjusting offsets affected
by the removal of the RFC1002 length field from the SMB header
- Update minimum PDU size macros for both SMB1 and SMB2
- Rename smb2_get_msg function to smb_get_msg to better reflect its
role in handling both SMB1 and SMB2 requests
* tag 'v6.19-rc2-smb3-server-fixes' of git://git.samba.org/ksmbd:
smb/server: fix minimum SMB2 PDU size
smb/server: fix minimum SMB1 PDU size
ksmbd: rename smb2_get_msg to smb_get_msg
ksmbd: Fix to handle removal of rfc1002 header from smb_hdr
+70
-69
+2
-2
fs/smb/server/auth.c
+2
-2
fs/smb/server/auth.c
···
714
714
int ksmbd_gen_preauth_integrity_hash(struct ksmbd_conn *conn, char *buf,
715
715
__u8 *pi_hash)
716
716
{
717
-
struct smb2_hdr *rcv_hdr = smb2_get_msg(buf);
717
+
struct smb2_hdr *rcv_hdr = smb_get_msg(buf);
718
718
char *all_bytes_msg = (char *)&rcv_hdr->ProtocolId;
719
719
int msg_size = get_rfc1002_len(buf);
720
720
struct sha512_ctx sha_ctx;
···
841
841
unsigned int nvec, int enc)
842
842
{
843
843
struct ksmbd_conn *conn = work->conn;
844
-
struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base);
844
+
struct smb2_transform_hdr *tr_hdr = smb_get_msg(iov[0].iov_base);
845
845
unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20;
846
846
int rc;
847
847
struct scatterlist *sg;
+6
-5
fs/smb/server/connection.c
+6
-5
fs/smb/server/connection.c
···
295
295
return true;
296
296
}
297
297
298
-
#define SMB1_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb_hdr))
299
-
#define SMB2_MIN_SUPPORTED_HEADER_SIZE (sizeof(struct smb2_hdr) + 4)
298
+
/* "+2" for BCC field (ByteCount, 2 bytes) */
299
+
#define SMB1_MIN_SUPPORTED_PDU_SIZE (sizeof(struct smb_hdr) + 2)
300
+
#define SMB2_MIN_SUPPORTED_PDU_SIZE (sizeof(struct smb2_pdu))
300
301
301
302
/**
302
303
* ksmbd_conn_handler_loop() - session thread to listen on new smb requests
···
364
363
if (pdu_size > MAX_STREAM_PROT_LEN)
365
364
break;
366
365
367
-
if (pdu_size < SMB1_MIN_SUPPORTED_HEADER_SIZE)
366
+
if (pdu_size < SMB1_MIN_SUPPORTED_PDU_SIZE)
368
367
break;
369
368
370
369
/* 4 for rfc1002 length field */
···
395
394
if (!ksmbd_smb_request(conn))
396
395
break;
397
396
398
-
if (((struct smb2_hdr *)smb2_get_msg(conn->request_buf))->ProtocolId ==
397
+
if (((struct smb2_hdr *)smb_get_msg(conn->request_buf))->ProtocolId ==
399
398
SMB2_PROTO_NUMBER) {
400
-
if (pdu_size < SMB2_MIN_SUPPORTED_HEADER_SIZE)
399
+
if (pdu_size < SMB2_MIN_SUPPORTED_PDU_SIZE)
401
400
break;
402
401
}
403
402
+4
-4
fs/smb/server/oplock.c
+4
-4
fs/smb/server/oplock.c
···
637
637
goto out;
638
638
}
639
639
640
-
rsp_hdr = smb2_get_msg(work->response_buf);
640
+
rsp_hdr = smb_get_msg(work->response_buf);
641
641
memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2);
642
642
rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER;
643
643
rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE;
···
651
651
rsp_hdr->SessionId = 0;
652
652
memset(rsp_hdr->Signature, 0, 16);
653
653
654
-
rsp = smb2_get_msg(work->response_buf);
654
+
rsp = smb_get_msg(work->response_buf);
655
655
656
656
rsp->StructureSize = cpu_to_le16(24);
657
657
if (!br_info->open_trunc &&
···
744
744
goto out;
745
745
}
746
746
747
-
rsp_hdr = smb2_get_msg(work->response_buf);
747
+
rsp_hdr = smb_get_msg(work->response_buf);
748
748
memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2);
749
749
rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER;
750
750
rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE;
···
758
758
rsp_hdr->SessionId = 0;
759
759
memset(rsp_hdr->Signature, 0, 16);
760
760
761
-
rsp = smb2_get_msg(work->response_buf);
761
+
rsp = smb_get_msg(work->response_buf);
762
762
rsp->StructureSize = cpu_to_le16(44);
763
763
rsp->Epoch = br_info->epoch;
764
764
rsp->Flags = 0;
+1
-1
fs/smb/server/server.c
+1
-1
fs/smb/server/server.c
+35
-35
fs/smb/server/smb2pdu.c
+35
-35
fs/smb/server/smb2pdu.c
···
47
47
*req = ksmbd_req_buf_next(work);
48
48
*rsp = ksmbd_resp_buf_next(work);
49
49
} else {
50
-
*req = smb2_get_msg(work->request_buf);
51
-
*rsp = smb2_get_msg(work->response_buf);
50
+
*req = smb_get_msg(work->request_buf);
51
+
*rsp = smb_get_msg(work->response_buf);
52
52
}
53
53
}
54
54
···
146
146
if (work->next_smb2_rcv_hdr_off)
147
147
err_rsp = ksmbd_resp_buf_next(work);
148
148
else
149
-
err_rsp = smb2_get_msg(work->response_buf);
149
+
err_rsp = smb_get_msg(work->response_buf);
150
150
151
151
if (err_rsp->hdr.Status != STATUS_STOPPED_ON_SYMLINK) {
152
152
int err;
···
172
172
*/
173
173
bool is_smb2_neg_cmd(struct ksmbd_work *work)
174
174
{
175
-
struct smb2_hdr *hdr = smb2_get_msg(work->request_buf);
175
+
struct smb2_hdr *hdr = smb_get_msg(work->request_buf);
176
176
177
177
/* is it SMB2 header ? */
178
178
if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
···
196
196
*/
197
197
bool is_smb2_rsp(struct ksmbd_work *work)
198
198
{
199
-
struct smb2_hdr *hdr = smb2_get_msg(work->response_buf);
199
+
struct smb2_hdr *hdr = smb_get_msg(work->response_buf);
200
200
201
201
/* is it SMB2 header ? */
202
202
if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
···
222
222
if (work->next_smb2_rcv_hdr_off)
223
223
rcv_hdr = ksmbd_req_buf_next(work);
224
224
else
225
-
rcv_hdr = smb2_get_msg(work->request_buf);
225
+
rcv_hdr = smb_get_msg(work->request_buf);
226
226
return le16_to_cpu(rcv_hdr->Command);
227
227
}
228
228
···
235
235
{
236
236
struct smb2_hdr *rsp_hdr;
237
237
238
-
rsp_hdr = smb2_get_msg(work->response_buf);
238
+
rsp_hdr = smb_get_msg(work->response_buf);
239
239
rsp_hdr->Status = err;
240
240
241
241
work->iov_idx = 0;
···
258
258
struct ksmbd_conn *conn = work->conn;
259
259
int err;
260
260
261
-
rsp_hdr = smb2_get_msg(work->response_buf);
261
+
rsp_hdr = smb_get_msg(work->response_buf);
262
262
memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2);
263
263
rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER;
264
264
rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE;
···
272
272
rsp_hdr->SessionId = 0;
273
273
memset(rsp_hdr->Signature, 0, 16);
274
274
275
-
rsp = smb2_get_msg(work->response_buf);
275
+
rsp = smb_get_msg(work->response_buf);
276
276
277
277
WARN_ON(ksmbd_conn_good(conn));
278
278
···
446
446
*/
447
447
bool is_chained_smb2_message(struct ksmbd_work *work)
448
448
{
449
-
struct smb2_hdr *hdr = smb2_get_msg(work->request_buf);
449
+
struct smb2_hdr *hdr = smb_get_msg(work->request_buf);
450
450
unsigned int len, next_cmd;
451
451
452
452
if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
···
497
497
*/
498
498
int init_smb2_rsp_hdr(struct ksmbd_work *work)
499
499
{
500
-
struct smb2_hdr *rsp_hdr = smb2_get_msg(work->response_buf);
501
-
struct smb2_hdr *rcv_hdr = smb2_get_msg(work->request_buf);
500
+
struct smb2_hdr *rsp_hdr = smb_get_msg(work->response_buf);
501
+
struct smb2_hdr *rcv_hdr = smb_get_msg(work->request_buf);
502
502
503
503
memset(rsp_hdr, 0, sizeof(struct smb2_hdr) + 2);
504
504
rsp_hdr->ProtocolId = rcv_hdr->ProtocolId;
···
527
527
*/
528
528
int smb2_allocate_rsp_buf(struct ksmbd_work *work)
529
529
{
530
-
struct smb2_hdr *hdr = smb2_get_msg(work->request_buf);
530
+
struct smb2_hdr *hdr = smb_get_msg(work->request_buf);
531
531
size_t small_sz = MAX_CIFS_SMALL_BUFFER_SIZE;
532
532
size_t large_sz = small_sz + work->conn->vals->max_trans_size;
533
533
size_t sz = small_sz;
···
543
543
offsetof(struct smb2_query_info_req, OutputBufferLength))
544
544
return -EINVAL;
545
545
546
-
req = smb2_get_msg(work->request_buf);
546
+
req = smb_get_msg(work->request_buf);
547
547
if ((req->InfoType == SMB2_O_INFO_FILE &&
548
548
(req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
549
549
req->FileInfoClass == FILE_ALL_INFORMATION)) ||
···
712
712
}
713
713
714
714
in_work->conn = work->conn;
715
-
memcpy(smb2_get_msg(in_work->response_buf), ksmbd_resp_buf_next(work),
715
+
memcpy(smb_get_msg(in_work->response_buf), ksmbd_resp_buf_next(work),
716
716
__SMB2_HEADER_STRUCTURE_SIZE);
717
717
718
-
rsp_hdr = smb2_get_msg(in_work->response_buf);
718
+
rsp_hdr = smb_get_msg(in_work->response_buf);
719
719
rsp_hdr->Flags |= SMB2_FLAGS_ASYNC_COMMAND;
720
720
rsp_hdr->Id.AsyncId = cpu_to_le64(work->async_id);
721
721
smb2_set_err_rsp(in_work);
···
1093
1093
int smb2_handle_negotiate(struct ksmbd_work *work)
1094
1094
{
1095
1095
struct ksmbd_conn *conn = work->conn;
1096
-
struct smb2_negotiate_req *req = smb2_get_msg(work->request_buf);
1097
-
struct smb2_negotiate_rsp *rsp = smb2_get_msg(work->response_buf);
1096
+
struct smb2_negotiate_req *req = smb_get_msg(work->request_buf);
1097
+
struct smb2_negotiate_rsp *rsp = smb_get_msg(work->response_buf);
1098
1098
int rc = 0;
1099
1099
unsigned int smb2_buf_len, smb2_neg_size, neg_ctxt_len = 0;
1100
1100
__le32 status;
···
5967
5967
*/
5968
5968
int smb2_echo(struct ksmbd_work *work)
5969
5969
{
5970
-
struct smb2_echo_rsp *rsp = smb2_get_msg(work->response_buf);
5970
+
struct smb2_echo_rsp *rsp = smb_get_msg(work->response_buf);
5971
5971
5972
5972
ksmbd_debug(SMB, "Received smb2 echo request\n");
5973
5973
···
6520
6520
pid = work->compound_pfid;
6521
6521
}
6522
6522
} else {
6523
-
req = smb2_get_msg(work->request_buf);
6524
-
rsp = smb2_get_msg(work->response_buf);
6523
+
req = smb_get_msg(work->request_buf);
6524
+
rsp = smb_get_msg(work->response_buf);
6525
6525
}
6526
6526
6527
6527
if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
···
6754
6754
pid = work->compound_pfid;
6755
6755
}
6756
6756
} else {
6757
-
req = smb2_get_msg(work->request_buf);
6758
-
rsp = smb2_get_msg(work->response_buf);
6757
+
req = smb_get_msg(work->request_buf);
6758
+
rsp = smb_get_msg(work->response_buf);
6759
6759
}
6760
6760
6761
6761
if (!has_file_id(id)) {
···
7183
7183
int smb2_cancel(struct ksmbd_work *work)
7184
7184
{
7185
7185
struct ksmbd_conn *conn = work->conn;
7186
-
struct smb2_hdr *hdr = smb2_get_msg(work->request_buf);
7186
+
struct smb2_hdr *hdr = smb_get_msg(work->request_buf);
7187
7187
struct smb2_hdr *chdr;
7188
7188
struct ksmbd_work *iter;
7189
7189
struct list_head *command_list;
···
7200
7200
spin_lock(&conn->request_lock);
7201
7201
list_for_each_entry(iter, command_list,
7202
7202
async_request_entry) {
7203
-
chdr = smb2_get_msg(iter->request_buf);
7203
+
chdr = smb_get_msg(iter->request_buf);
7204
7204
7205
7205
if (iter->async_id !=
7206
7206
le64_to_cpu(hdr->Id.AsyncId))
···
7221
7221
7222
7222
spin_lock(&conn->request_lock);
7223
7223
list_for_each_entry(iter, command_list, request_entry) {
7224
-
chdr = smb2_get_msg(iter->request_buf);
7224
+
chdr = smb_get_msg(iter->request_buf);
7225
7225
7226
7226
if (chdr->MessageId != hdr->MessageId ||
7227
7227
iter == work)
···
8151
8151
id = work->compound_fid;
8152
8152
}
8153
8153
} else {
8154
-
req = smb2_get_msg(work->request_buf);
8155
-
rsp = smb2_get_msg(work->response_buf);
8154
+
req = smb_get_msg(work->request_buf);
8155
+
rsp = smb_get_msg(work->response_buf);
8156
8156
}
8157
8157
8158
8158
if (!has_file_id(id))
···
8817
8817
*/
8818
8818
bool smb2_is_sign_req(struct ksmbd_work *work, unsigned int command)
8819
8819
{
8820
-
struct smb2_hdr *rcv_hdr2 = smb2_get_msg(work->request_buf);
8820
+
struct smb2_hdr *rcv_hdr2 = smb_get_msg(work->request_buf);
8821
8821
8822
8822
if ((rcv_hdr2->Flags & SMB2_FLAGS_SIGNED) &&
8823
8823
command != SMB2_NEGOTIATE_HE &&
···
8842
8842
struct kvec iov[1];
8843
8843
size_t len;
8844
8844
8845
-
hdr = smb2_get_msg(work->request_buf);
8845
+
hdr = smb_get_msg(work->request_buf);
8846
8846
if (work->next_smb2_rcv_hdr_off)
8847
8847
hdr = ksmbd_req_buf_next(work);
8848
8848
···
8916
8916
struct kvec iov[1];
8917
8917
size_t len;
8918
8918
8919
-
hdr = smb2_get_msg(work->request_buf);
8919
+
hdr = smb_get_msg(work->request_buf);
8920
8920
if (work->next_smb2_rcv_hdr_off)
8921
8921
hdr = ksmbd_req_buf_next(work);
8922
8922
···
9049
9049
static void fill_transform_hdr(void *tr_buf, char *old_buf, __le16 cipher_type)
9050
9050
{
9051
9051
struct smb2_transform_hdr *tr_hdr = tr_buf + 4;
9052
-
struct smb2_hdr *hdr = smb2_get_msg(old_buf);
9052
+
struct smb2_hdr *hdr = smb_get_msg(old_buf);
9053
9053
unsigned int orig_len = get_rfc1002_len(old_buf);
9054
9054
9055
9055
/* tr_buf must be cleared by the caller */
···
9088
9088
9089
9089
bool smb3_is_transform_hdr(void *buf)
9090
9090
{
9091
-
struct smb2_transform_hdr *trhdr = smb2_get_msg(buf);
9091
+
struct smb2_transform_hdr *trhdr = smb_get_msg(buf);
9092
9092
9093
9093
return trhdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM;
9094
9094
}
···
9100
9100
unsigned int pdu_length = get_rfc1002_len(buf);
9101
9101
struct kvec iov[2];
9102
9102
int buf_data_size = pdu_length - sizeof(struct smb2_transform_hdr);
9103
-
struct smb2_transform_hdr *tr_hdr = smb2_get_msg(buf);
9103
+
struct smb2_transform_hdr *tr_hdr = smb_get_msg(buf);
9104
9104
int rc = 0;
9105
9105
9106
9106
if (pdu_length < sizeof(struct smb2_transform_hdr) ||
···
9141
9141
{
9142
9142
struct ksmbd_conn *conn = work->conn;
9143
9143
struct ksmbd_session *sess = work->sess;
9144
-
struct smb2_hdr *rsp = smb2_get_msg(work->response_buf);
9144
+
struct smb2_hdr *rsp = smb_get_msg(work->response_buf);
9145
9145
9146
9146
if (conn->dialect < SMB30_PROT_ID)
9147
9147
return false;
-9
fs/smb/server/smb2pdu.h
-9
fs/smb/server/smb2pdu.h
···
383
383
int smb2_oplock_break(struct ksmbd_work *work);
384
384
int smb2_notify(struct ksmbd_work *ksmbd_work);
385
385
386
-
/*
387
-
* Get the body of the smb2 message excluding the 4 byte rfc1002 headers
388
-
* from request/response buffer.
389
-
*/
390
-
static inline void *smb2_get_msg(void *buf)
391
-
{
392
-
return buf + 4;
393
-
}
394
-
395
386
#define POSIX_TYPE_FILE 0
396
387
#define POSIX_TYPE_DIR 1
397
388
#define POSIX_TYPE_SYMLINK 2
+13
-13
fs/smb/server/smb_common.c
+13
-13
fs/smb/server/smb_common.c
···
140
140
if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
141
141
return ksmbd_smb2_check_message(work);
142
142
143
-
hdr = work->request_buf;
143
+
hdr = smb_get_msg(work->request_buf);
144
144
if (*(__le32 *)hdr->Protocol == SMB1_PROTO_NUMBER &&
145
145
hdr->Command == SMB_COM_NEGOTIATE) {
146
146
work->conn->outstanding_credits++;
···
163
163
if (conn->request_buf[0] != 0)
164
164
return false;
165
165
166
-
proto = (__le32 *)smb2_get_msg(conn->request_buf);
166
+
proto = (__le32 *)smb_get_msg(conn->request_buf);
167
167
if (*proto == SMB2_COMPRESSION_TRANSFORM_ID) {
168
168
pr_err_ratelimited("smb2 compression not support yet");
169
169
return false;
···
259
259
static int ksmbd_negotiate_smb_dialect(void *buf)
260
260
{
261
261
int smb_buf_length = get_rfc1002_len(buf);
262
-
__le32 proto = ((struct smb2_hdr *)smb2_get_msg(buf))->ProtocolId;
262
+
__le32 proto = ((struct smb2_hdr *)smb_get_msg(buf))->ProtocolId;
263
263
264
264
if (proto == SMB2_PROTO_NUMBER) {
265
265
struct smb2_negotiate_req *req;
266
266
int smb2_neg_size =
267
267
offsetof(struct smb2_negotiate_req, Dialects);
268
268
269
-
req = (struct smb2_negotiate_req *)smb2_get_msg(buf);
269
+
req = (struct smb2_negotiate_req *)smb_get_msg(buf);
270
270
if (smb2_neg_size > smb_buf_length)
271
271
goto err_out;
272
272
···
278
278
req->DialectCount);
279
279
}
280
280
281
-
proto = *(__le32 *)((struct smb_hdr *)buf)->Protocol;
282
281
if (proto == SMB1_PROTO_NUMBER) {
283
282
struct smb_negotiate_req *req;
284
283
285
-
req = (struct smb_negotiate_req *)buf;
284
+
req = (struct smb_negotiate_req *)smb_get_msg(buf);
286
285
if (le16_to_cpu(req->ByteCount) < 2)
287
286
goto err_out;
288
287
289
-
if (offsetof(struct smb_negotiate_req, DialectsArray) - 4 +
288
+
if (offsetof(struct smb_negotiate_req, DialectsArray) +
290
289
le16_to_cpu(req->ByteCount) > smb_buf_length) {
291
290
goto err_out;
292
291
}
···
319
320
*/
320
321
static int init_smb1_rsp_hdr(struct ksmbd_work *work)
321
322
{
322
-
struct smb_hdr *rsp_hdr = (struct smb_hdr *)work->response_buf;
323
-
struct smb_hdr *rcv_hdr = (struct smb_hdr *)work->request_buf;
323
+
struct smb_hdr *rsp_hdr = (struct smb_hdr *)smb_get_msg(work->response_buf);
324
+
struct smb_hdr *rcv_hdr = (struct smb_hdr *)smb_get_msg(work->request_buf);
324
325
325
326
rsp_hdr->Command = SMB_COM_NEGOTIATE;
326
327
*(__le32 *)rsp_hdr->Protocol = SMB1_PROTO_NUMBER;
···
411
412
412
413
int ksmbd_init_smb_server(struct ksmbd_conn *conn)
413
414
{
415
+
struct smb_hdr *rcv_hdr = (struct smb_hdr *)smb_get_msg(conn->request_buf);
414
416
__le32 proto;
415
417
416
-
proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol;
418
+
proto = *(__le32 *)rcv_hdr->Protocol;
417
419
if (conn->need_neg == false) {
418
420
if (proto == SMB1_PROTO_NUMBER)
419
421
return -EINVAL;
···
572
572
573
573
static int smb_handle_negotiate(struct ksmbd_work *work)
574
574
{
575
-
struct smb_negotiate_rsp *neg_rsp = work->response_buf;
575
+
struct smb_negotiate_rsp *neg_rsp = smb_get_msg(work->response_buf);
576
576
577
577
ksmbd_debug(SMB, "Unsupported SMB1 protocol\n");
578
578
579
-
if (ksmbd_iov_pin_rsp(work, (void *)neg_rsp + 4,
580
-
sizeof(struct smb_negotiate_rsp) - 4))
579
+
if (ksmbd_iov_pin_rsp(work, (void *)neg_rsp,
580
+
sizeof(struct smb_negotiate_rsp)))
581
581
return -ENOMEM;
582
582
583
583
neg_rsp->hdr.Status.CifsError = STATUS_SUCCESS;
+9
fs/smb/server/smb_common.h
+9
fs/smb/server/smb_common.h
···
203
203
unsigned int ksmbd_server_side_copy_max_total_size(void);
204
204
bool is_asterisk(char *p);
205
205
__le32 smb_map_generic_desired_access(__le32 daccess);
206
+
207
+
/*
208
+
* Get the body of the smb message excluding the 4 byte rfc1002 headers
209
+
* from request/response buffer.
210
+
*/
211
+
static inline void *smb_get_msg(void *buf)
212
+
{
213
+
return buf + 4;
214
+
}
206
215
#endif /* __SMB_SERVER_COMMON_H__ */