From: "Pali Rohár" <pali@kernel.org>
To: Steve French <sfrench@samba.org>,
Paulo Alcantara <pc@manguebit.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 7/8] cifs: Validate content of NFS reparse point buffer
Date: Sat, 28 Sep 2024 23:59:47 +0200 [thread overview]
Message-ID: <20240928215948.4494-8-pali@kernel.org> (raw)
In-Reply-To: <20240928215948.4494-1-pali@kernel.org>
Symlink target location stored in DataBuffer is encoded in UTF-16. So check
that symlink DataBuffer length is non-zero and even number. And check that
DataBuffer does not contain UTF-16 null codepoint because Linux cannot
process symlink with null byte.
DataBuffer for char and block devices is 8 bytes long as it contains two
32-bit numbers (major and minor). Add check for this.
DataBuffer buffer for sockets and fifos zero-length. Add checks for this.
Signed-off-by: Pali Rohár <pali@kernel.org>
---
fs/smb/client/reparse.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index e3cf7ae516cb..35e8f2e18530 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -330,6 +330,18 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
switch ((type = le64_to_cpu(buf->InodeType))) {
case NFS_SPECFILE_LNK:
+ if (len == 0 || (len % 2)) {
+ cifs_dbg(VFS, "srv returned malformed nfs symlink buffer\n");
+ return -EIO;
+ }
+ /*
+ * Check that buffer does not contain UTF-16 null codepoint
+ * because Linux cannot process symlink with null byte.
+ */
+ if (UniStrnlen((wchar_t *)buf->DataBuffer, len/2) != len/2) {
+ cifs_dbg(VFS, "srv returned null byte in nfs symlink target location\n");
+ return -EIO;
+ }
data->symlink_target = cifs_strndup_from_utf16(buf->DataBuffer,
len, true,
cifs_sb->local_nls);
@@ -340,8 +352,19 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
break;
case NFS_SPECFILE_CHR:
case NFS_SPECFILE_BLK:
+ /* DataBuffer for block and char devices contains two 32-bit numbers */
+ if (len != 8) {
+ cifs_dbg(VFS, "srv returned malformed nfs buffer for type: 0x%llx\n", type);
+ return -EIO;
+ }
+ break;
case NFS_SPECFILE_FIFO:
case NFS_SPECFILE_SOCK:
+ /* DataBuffer for fifos and sockets is empty */
+ if (len != 0) {
+ cifs_dbg(VFS, "srv returned malformed nfs buffer for type: 0x%llx\n", type);
+ return -EIO;
+ }
break;
default:
cifs_dbg(VFS, "%s: unhandled inode type: 0x%llx\n",
--
2.20.1
next prev parent reply other threads:[~2024-09-28 22:00 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-28 21:59 [PATCH 0/8] cifs: Fix support for NFS-style reparse points Pali Rohár
2024-09-28 21:59 ` [PATCH 1/8] smb: Update comments about some reparse point tags Pali Rohár
2024-09-28 21:59 ` [PATCH 2/8] cifs: Remove intermediate object of failed create reparse call Pali Rohár
2024-09-29 12:53 ` Pali Rohár
2024-09-29 14:03 ` [PATCH v2] " Pali Rohár
2024-09-29 16:01 ` Steve French
2024-09-30 15:25 ` [PATCH 2/8] " Paulo Alcantara
2024-09-30 17:20 ` Pali Rohár
2024-09-30 21:33 ` Paulo Alcantara
2024-09-30 20:25 ` [PATCH v3] " Pali Rohár
2024-09-30 21:33 ` Steve French
2024-09-28 21:59 ` [PATCH 3/8] cifs: Fix parsing NFS-style char/block devices Pali Rohár
2024-09-28 21:59 ` [PATCH 4/8] cifs: Fix creating " Pali Rohár
2024-09-29 0:18 ` Steve French
2024-09-29 0:44 ` Pali Rohár
[not found] ` <CAH2r5mvbUhcW_c46oUiHzfPg97n5qiRg9kzpCkmzG9uHygOF3g@mail.gmail.com>
2024-09-29 0:51 ` Pali Rohár
2024-09-28 21:59 ` [PATCH 5/8] cifs: Fix buffer overflow when parsing NFS reparse points Pali Rohár
2024-09-29 10:22 ` [PATCH v2] " Pali Rohár
2024-09-28 21:59 ` [PATCH 6/8] cifs: Do not convert delimiter when parsing NFS-style symlinks Pali Rohár
2024-09-28 21:59 ` Pali Rohár [this message]
2024-09-28 21:59 ` [PATCH 8/8] cifs: Rename posix to nfs in parse_reparse_posix() and reparse_posix_data Pali Rohár
2024-09-29 4:57 ` Steve French
2024-09-29 9:09 ` Ralph Boehme
2024-09-29 9:26 ` Pali Rohár
2024-09-29 12:52 ` Ralph Boehme
2024-09-29 15:43 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240928215948.4494-8-pali@kernel.org \
--to=pali@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pc@manguebit.com \
--cc=ronniesahlberg@gmail.com \
--cc=sfrench@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox