From: Ralph Boehme <slow@samba.org>
To: linux-cifs@vger.kernel.org
Cc: "Namjae Jeon" <linkinjeon@kernel.org>,
"Tom Talpey" <tom@talpey.com>,
"Ronnie Sahlberg" <ronniesahlberg@gmail.com>,
"Ralph Böhme" <slow@samba.org>,
"Steve French" <smfrench@gmail.com>,
"Hyunchul Lee" <hyc.lee@gmail.com>,
"Sergey Senozhatsky" <senozhatsky@chromium.org>
Subject: [PATCH v5 06/20] ksmbd: add validation in smb2 negotiate
Date: Fri, 1 Oct 2021 14:04:07 +0200 [thread overview]
Message-ID: <20211001120421.327245-7-slow@samba.org> (raw)
In-Reply-To: <20211001120421.327245-1-slow@samba.org>
From: Namjae Jeon <linkinjeon@kernel.org>
This patch add validation to check request buffer check in smb2
negotiate and fix null pointer deferencing oops in smb3_preauth_hash_rsp()
that found from manual test.
Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Hyunchul Lee <hyc.lee@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
fs/ksmbd/smb2pdu.c | 42 +++++++++++++++++++++++++++++++++++++++++-
fs/ksmbd/smb_common.c | 32 +++++++++++++++++++++++++++-----
2 files changed, 68 insertions(+), 6 deletions(-)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index c434390ffcae..0b0ab3297e05 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1067,6 +1067,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work)
struct smb2_negotiate_req *req = work->request_buf;
struct smb2_negotiate_rsp *rsp = work->response_buf;
int rc = 0;
+ unsigned int smb2_buf_len, smb2_neg_size;
__le32 status;
ksmbd_debug(SMB, "Received negotiate request\n");
@@ -1084,6 +1085,44 @@ int smb2_handle_negotiate(struct ksmbd_work *work)
goto err_out;
}
+ smb2_buf_len = get_rfc1002_len(work->request_buf);
+ smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects) - 4;
+ if (smb2_neg_size > smb2_buf_len) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
+ }
+
+ if (conn->dialect == SMB311_PROT_ID) {
+ unsigned int nego_ctxt_off = le32_to_cpu(req->NegotiateContextOffset);
+
+ if (smb2_buf_len < nego_ctxt_off) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
+ }
+
+ if (smb2_neg_size > nego_ctxt_off) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
+ }
+
+ if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) >
+ nego_ctxt_off) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
+ }
+ } else {
+ if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) >
+ smb2_buf_len) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
+ }
+ }
+
conn->cli_cap = le32_to_cpu(req->Capabilities);
switch (conn->dialect) {
case SMB311_PROT_ID:
@@ -8301,7 +8340,8 @@ void smb3_preauth_hash_rsp(struct ksmbd_work *work)
WORK_BUFFERS(work, req, rsp);
- if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE)
+ if (le16_to_cpu(req->Command) == SMB2_NEGOTIATE_HE &&
+ conn->preauth_info)
ksmbd_gen_preauth_integrity_hash(conn, (char *)rsp,
conn->preauth_info->Preauth_HashValue);
diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c
index 20bd5b8e3c0a..b6c4c7e960fa 100644
--- a/fs/ksmbd/smb_common.c
+++ b/fs/ksmbd/smb_common.c
@@ -168,10 +168,12 @@ static bool supported_protocol(int idx)
idx <= server_conf.max_protocol);
}
-static char *next_dialect(char *dialect, int *next_off)
+static char *next_dialect(char *dialect, int *next_off, int bcount)
{
dialect = dialect + *next_off;
- *next_off = strlen(dialect);
+ *next_off = strnlen(dialect, bcount);
+ if (dialect[*next_off] != '\0')
+ return NULL;
return dialect;
}
@@ -186,7 +188,9 @@ static int ksmbd_lookup_dialect_by_name(char *cli_dialects, __le16 byte_count)
dialect = cli_dialects;
bcount = le16_to_cpu(byte_count);
do {
- dialect = next_dialect(dialect, &next);
+ dialect = next_dialect(dialect, &next, bcount);
+ if (!dialect)
+ break;
ksmbd_debug(SMB, "client requested dialect %s\n",
dialect);
if (!strcmp(dialect, smb1_protos[i].name)) {
@@ -234,13 +238,22 @@ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count)
static int ksmbd_negotiate_smb_dialect(void *buf)
{
- __le32 proto;
+ int smb_buf_length = get_rfc1002_len(buf);
+ __le32 proto = ((struct smb2_hdr *)buf)->ProtocolId;
- proto = ((struct smb2_hdr *)buf)->ProtocolId;
if (proto == SMB2_PROTO_NUMBER) {
struct smb2_negotiate_req *req;
+ int smb2_neg_size =
+ offsetof(struct smb2_negotiate_req, Dialects) - 4;
req = (struct smb2_negotiate_req *)buf;
+ if (smb2_neg_size > smb_buf_length)
+ goto err_out;
+
+ if (smb2_neg_size + le16_to_cpu(req->DialectCount) * sizeof(__le16) >
+ smb_buf_length)
+ goto err_out;
+
return ksmbd_lookup_dialect_by_id(req->Dialects,
req->DialectCount);
}
@@ -250,10 +263,19 @@ static int ksmbd_negotiate_smb_dialect(void *buf)
struct smb_negotiate_req *req;
req = (struct smb_negotiate_req *)buf;
+ if (le16_to_cpu(req->ByteCount) < 2)
+ goto err_out;
+
+ if (offsetof(struct smb_negotiate_req, DialectsArray) - 4 +
+ le16_to_cpu(req->ByteCount) > smb_buf_length) {
+ goto err_out;
+ }
+
return ksmbd_lookup_dialect_by_name(req->DialectsArray,
req->ByteCount);
}
+err_out:
return BAD_PROT_ID;
}
--
2.31.1
next prev parent reply other threads:[~2021-10-01 12:25 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-01 12:04 [PATCH v5 00/20] Buffer validation patches Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 01/20] ksmbd: add the check to vaildate if stream protocol length exceeds maximum value Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 02/20] ksmbd: add validation in smb2_ioctl Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 03/20] ksmbd: use correct basic info level in set_file_basic_info() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 04/20] ksmbd: add request buffer validation in smb2_set_info Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 05/20] ksmbd: check strictly data area in ksmbd_smb2_check_message() Ralph Boehme
2021-10-01 12:04 ` Ralph Boehme [this message]
2021-10-01 12:04 ` [PATCH v5 07/20] ksmbd: add buffer validation for SMB2_CREATE_CONTEXT Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 08/20] ksmbd: remove the leftover of smb2.0 dialect support Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 09/20] ksmbd: remove NTLMv1 authentication Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 10/20] ksmbd: fix transform header validation Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 11/20] ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 12/20] ksmbd: use ksmbd_req_buf_next() in ksmbd_verify_smb_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 13/20] ksmbd: remove ksmbd_verify_smb_message() Ralph Boehme
2021-10-02 5:46 ` Namjae Jeon
2021-10-02 12:05 ` Ralph Boehme
2021-10-03 23:37 ` Jeremy Allison
2021-10-04 0:47 ` Namjae Jeon
2021-10-01 12:04 ` [PATCH v5 14/20] ksmbd: add ksmbd_smb2_cur_pdu_buflen() Ralph Boehme
2021-10-02 5:49 ` Namjae Jeon
2021-10-02 11:55 ` Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 15/20] ksmbd: use ksmbd_smb2_cur_pdu_buflen() in ksmbd_smb2_check_message() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 16/20] ksmbd: check PDU len is at least header plus body size " Ralph Boehme
2021-10-02 5:55 ` Namjae Jeon
2021-10-02 11:54 ` Ralph Boehme
2021-10-02 12:45 ` Hyunchul Lee
2021-10-02 12:49 ` Ralph Boehme
2021-10-03 1:25 ` Namjae Jeon
2021-10-01 12:04 ` [PATCH v5 17/20] ksmdb: use cmd helper variable in smb2_get_ksmbd_tcon() Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 18/20] ksmdb: make smb2_get_ksmbd_tcon() callable with chained PDUs Ralph Boehme
2021-10-02 6:00 ` Namjae Jeon
2021-10-02 12:08 ` Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 19/20] ksmbd: make smb2_check_user_session() callabe for compound PDUs Ralph Boehme
2021-10-02 6:01 ` Namjae Jeon
2021-10-02 12:08 ` Ralph Boehme
2021-10-01 12:04 ` [PATCH v5 20/20] ksmdb: move session and tcon validation to ksmbd_smb2_check_message() Ralph Boehme
2021-10-02 6:05 ` [PATCH v5 00/20] Buffer validation patches Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211001120421.327245-7-slow@samba.org \
--to=slow@samba.org \
--cc=hyc.lee@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=ronniesahlberg@gmail.com \
--cc=senozhatsky@chromium.org \
--cc=smfrench@gmail.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox