From: David Howells <dhowells@redhat.com>
To: Steve French <sfrench@samba.org>
Cc: David Howells <dhowells@redhat.com>,
Paulo Alcantara <pc@manguebit.org>,
Shyam Prasad N <sprasad@microsoft.com>,
Tom Talpey <tom@talpey.com>, Stefan Metzmacher <metze@samba.org>,
Mina Almasry <almasrymina@google.com>,
linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,
netfs@lists.linux.dev, linux-fsdevel@vger.kernel.org
Subject: [RFC PATCH 13/36] cifs: Remove validate_t2()
Date: Tue, 19 May 2026 11:21:31 +0100 [thread overview]
Message-ID: <20260519102158.592165-14-dhowells@redhat.com> (raw)
In-Reply-To: <20260519102158.592165-1-dhowells@redhat.com>
validate_t2() is no longer necessary as the checking is now done up front.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Steve French <sfrench@samba.org>
cc: Paulo Alcantara <pc@manguebit.org>
cc: Shyam Prasad N <sprasad@microsoft.com>
cc: Tom Talpey <tom@talpey.com>
cc: linux-cifs@vger.kernel.org
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
---
fs/smb/client/cifssmb.c | 132 +++++++---------------------------------
1 file changed, 22 insertions(+), 110 deletions(-)
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index c537cc3e66c8..901f8aff6134 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -332,40 +332,6 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifs_tcon *tcon,
return __smb_init(smb_command, wct, tcon, request_buf, response_buf);
}
-static int validate_t2(struct smb_t2_rsp *pSMB)
-{
- unsigned int total_size;
-
- return 0; /* Checking now done in reception routine. */
-
- /* check for plausible wct */
- if (pSMB->hdr.WordCount < 10)
- goto vt2_err;
-
- /* check for parm and data offset going beyond end of smb */
- if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 ||
- get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
- goto vt2_err;
-
- total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
- if (total_size >= 512)
- goto vt2_err;
-
- /* check that bcc is at least as big as parms + data, and that it is
- * less than negotiated smb buffer
- */
- total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
- if (total_size > get_bcc(&pSMB->hdr) ||
- total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
- goto vt2_err;
-
- return 0;
-vt2_err:
- cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
- sizeof(struct smb_t2_rsp) + 16);
- return -EINVAL;
-}
-
static int
decode_ext_sec_blob(struct cifs_ses *ses, SMB_NEGOTIATE_RSP *pSMBr)
{
@@ -1122,9 +1088,7 @@ CIFSPOSIXCreate(const unsigned int xid, struct cifs_tcon *tcon,
}
cifs_dbg(FYI, "copying inode info\n");
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < sizeof(OPEN_PSX_RSP)) {
+ if (get_bcc(&pSMBr->hdr) < sizeof(OPEN_PSX_RSP)) {
rc = smb_EIO2(smb_eio_trace_create_rsp_too_small,
get_bcc(&pSMBr->hdr), sizeof(OPEN_PSX_RSP));
goto psx_create_err;
@@ -2372,9 +2336,7 @@ CIFSSMBPosixLock(const unsigned int xid, struct cifs_tcon *tcon,
/* lock structure can be returned on get */
__u16 data_offset;
__u16 data_count;
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < sizeof(*parm_data)) {
+ if (get_bcc(&pSMBr->hdr) < sizeof(*parm_data)) {
rc = smb_EIO2(smb_eio_trace_lock_bcc_too_small,
get_bcc(&pSMBr->hdr), sizeof(*parm_data));
goto plk_err_exit;
@@ -2939,9 +2901,8 @@ CIFSSMBUnixQuerySymLink(const unsigned int xid, struct cifs_tcon *tcon,
} else {
/* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
/* BB also check enough total bytes returned */
- if (rc || get_bcc(&pSMBr->hdr) < 2)
+ if (get_bcc(&pSMBr->hdr) < 2)
rc = smb_EIO2(smb_eio_trace_qsym_bcc_too_small,
get_bcc(&pSMBr->hdr), 2);
else {
@@ -3524,9 +3485,8 @@ int cifs_do_get_acl(const unsigned int xid, struct cifs_tcon *tcon,
} else {
/* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
/* BB also check enough total bytes returned */
- if (rc || get_bcc(&pSMBr->hdr) < 2)
+ if (get_bcc(&pSMBr->hdr) < 2)
rc = smb_EIO2(smb_eio_trace_getacl_bcc_too_small,
get_bcc(&pSMBr->hdr), 2);
else {
@@ -3696,9 +3656,8 @@ CIFSGetExtAttr(const unsigned int xid, struct cifs_tcon *tcon,
cifs_dbg(FYI, "error %d in GetExtAttr\n", rc);
} else {
/* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
/* BB also check enough total bytes returned */
- if (rc || get_bcc(&pSMBr->hdr) < 2)
+ if (get_bcc(&pSMBr->hdr) < 2)
/* If rc should we check for EOPNOSUPP and
disable the srvino flag? or in caller? */
rc = smb_EIO2(smb_eio_trace_getextattr_bcc_too_small,
@@ -4099,12 +4058,7 @@ CIFSSMBQFileInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in QFileInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc) /* BB add auto retry on EOPNOTSUPP? */
- rc = smb_EIO2(smb_eio_trace_qfileinfo_invalid,
- get_bcc(&pSMBr->hdr), 40);
- else if (get_bcc(&pSMBr->hdr) < 40)
+ if (get_bcc(&pSMBr->hdr) < 40)
rc = smb_EIO2(smb_eio_trace_qfileinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 40);
else if (pFindData) {
@@ -4188,12 +4142,7 @@ CIFSSMBQPathInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in QPathInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc) /* BB add auto retry on EOPNOTSUPP? */
- rc = smb_EIO2(smb_eio_trace_qpathinfo_invalid,
- get_bcc(&pSMBr->hdr), 40);
- else if (!legacy && get_bcc(&pSMBr->hdr) < 40)
+ if (!legacy && get_bcc(&pSMBr->hdr) < 40)
rc = smb_EIO2(smb_eio_trace_qpathinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 40);
else if (legacy && get_bcc(&pSMBr->hdr) < 24)
@@ -4275,9 +4224,7 @@ CIFSSMBUnixQFileInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in UnixQFileInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < sizeof(FILE_UNIX_BASIC_INFO)) {
+ if (get_bcc(&pSMBr->hdr) < sizeof(FILE_UNIX_BASIC_INFO)) {
cifs_dbg(VFS, "Malformed FILE_UNIX_BASIC_INFO response. Unix Extensions can be disabled on mount by specifying the nosfu mount option.\n");
rc = smb_EIO2(smb_eio_trace_unixqfileinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), sizeof(FILE_UNIX_BASIC_INFO));
@@ -4360,9 +4307,7 @@ CIFSSMBUnixQPathInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in UnixQPathInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < sizeof(FILE_UNIX_BASIC_INFO)) {
+ if (get_bcc(&pSMBr->hdr) < sizeof(FILE_UNIX_BASIC_INFO)) {
cifs_dbg(VFS, "Malformed FILE_UNIX_BASIC_INFO response. Unix Extensions can be disabled on mount by specifying the nosfu mount option.\n");
rc = smb_EIO2(smb_eio_trace_unixqpathinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), sizeof(FILE_UNIX_BASIC_INFO));
@@ -4504,13 +4449,8 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
goto findFirstRetry;
return rc;
}
- /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
- if (rc) {
- cifs_buf_release(pSMB);
- return rc;
- }
+ /* decode response */
psrch_inf->unicode = !!(pSMBr->hdr.Flags2 & SMBFLG2_UNICODE);
psrch_inf->ntwrk_buf_start = (char *)pSMBr;
psrch_inf->smallBuf = false;
@@ -4619,11 +4559,6 @@ int CIFSFindNext(const unsigned int xid, struct cifs_tcon *tcon,
}
/* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
- if (rc) {
- cifs_buf_release(pSMB);
- return rc;
- }
/* BB fixme add lock for file (srch_info) struct here */
psrch_inf->unicode = !!(pSMBr->hdr.Flags2 & SMBFLG2_UNICODE);
response_data = (char *)&pSMBr->hdr.Protocol +
@@ -4763,9 +4698,8 @@ CIFSGetSrvInodeNumber(const unsigned int xid, struct cifs_tcon *tcon,
cifs_dbg(FYI, "error %d in QueryInternalInfo\n", rc);
} else {
/* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
/* BB also check enough total bytes returned */
- if (rc || get_bcc(&pSMBr->hdr) < 2)
+ if (get_bcc(&pSMBr->hdr) < 2)
/* If rc should we check for EOPNOSUPP and
disable the srvino flag? or in caller? */
rc = smb_EIO2(smb_eio_trace_getsrvinonum_bcc_too_small,
@@ -4883,10 +4817,9 @@ CIFSGetDFSRefer(const unsigned int xid, struct cifs_ses *ses,
cifs_dbg(FYI, "Send error in GetDFSRefer = %d\n", rc);
goto GetDFSRefExit;
}
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
/* BB Also check if enough total bytes returned? */
- if (rc || get_bcc(&pSMBr->hdr) < 17) {
+ if (get_bcc(&pSMBr->hdr) < 17) {
rc = smb_EIO2(smb_eio_trace_getdfsrefer_bcc_too_small,
get_bcc(&pSMBr->hdr), 17);
goto GetDFSRefExit;
@@ -4961,12 +4894,10 @@ SMBOldQFSInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in QFSInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < 18)
+ if (get_bcc(&pSMBr->hdr) < 18) {
rc = smb_EIO2(smb_eio_trace_oldqfsinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 18);
- else {
+ } else {
__u16 data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
cifs_dbg(FYI, "qfsinf resp BCC: %d Offset %d\n",
get_bcc(&pSMBr->hdr), data_offset);
@@ -5051,12 +4982,10 @@ CIFSSMBQFSInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in QFSInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < 24)
+ if (get_bcc(&pSMBr->hdr) < 24) {
rc = smb_EIO2(smb_eio_trace_qfsinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 24);
- else {
+ } else {
__u16 data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
response_data =
@@ -5141,9 +5070,7 @@ CIFSSMBQFSAttributeInfo(const unsigned int xid, struct cifs_tcon *tcon)
if (rc) {
cifs_dbg(VFS, "Send error in QFSAttributeInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < 13) {
+ if (get_bcc(&pSMBr->hdr) < 13) {
/* BB also check if enough bytes returned */
rc = smb_EIO2(smb_eio_trace_qfsattrinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 13);
@@ -5215,9 +5142,7 @@ CIFSSMBQFSDeviceInfo(const unsigned int xid, struct cifs_tcon *tcon)
if (rc) {
cifs_dbg(FYI, "Send error in QFSDeviceInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) <
+ if (get_bcc(&pSMBr->hdr) <
sizeof(FILE_SYSTEM_DEVICE_INFO))
rc = smb_EIO2(smb_eio_trace_qfsdevinfo_bcc_too_small,
get_bcc(&pSMBr->hdr),
@@ -5289,9 +5214,7 @@ CIFSSMBQFSUnixInfo(const unsigned int xid, struct cifs_tcon *tcon)
if (rc) {
cifs_dbg(VFS, "Send error in QFSUnixInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < 13) {
+ if (get_bcc(&pSMBr->hdr) < 13) {
rc = smb_EIO2(smb_eio_trace_qfsunixinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 13);
} else {
@@ -5371,13 +5294,8 @@ CIFSSMBSetFSUnixInfo(const unsigned int xid, struct cifs_tcon *tcon, __u64 cap)
rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, in_len,
(struct smb_hdr *) pSMBr, &bytes_returned, 0);
- if (rc) {
+ if (rc)
cifs_dbg(VFS, "Send error in SETFSUnixInfo = %d\n", rc);
- } else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
- if (rc)
- rc = -EIO; /* bad smb */
- }
cifs_buf_release(pSMB);
if (rc == -EAGAIN)
@@ -5438,9 +5356,7 @@ CIFSSMBQFSPosixInfo(const unsigned int xid, struct cifs_tcon *tcon,
if (rc) {
cifs_dbg(FYI, "Send error in QFSUnixInfo = %d\n", rc);
} else { /* decode response */
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-
- if (rc || get_bcc(&pSMBr->hdr) < 13) {
+ if (get_bcc(&pSMBr->hdr) < 13) {
rc = smb_EIO2(smb_eio_trace_qfsposixinfo_bcc_too_small,
get_bcc(&pSMBr->hdr), 13);
} else {
@@ -6237,11 +6153,7 @@ CIFSSMBQAllEAs(const unsigned int xid, struct cifs_tcon *tcon,
/* BB also check enough total bytes returned */
- /* BB we need to improve the validity checking
- of these trans2 responses */
-
- rc = validate_t2((struct smb_t2_rsp *)pSMBr);
- if (rc || get_bcc(&pSMBr->hdr) < 4) {
+ if (get_bcc(&pSMBr->hdr) < 4) {
rc = smb_EIO2(smb_eio_trace_qalleas_bcc_too_small,
get_bcc(&pSMBr->hdr), 4);
goto QAllEAsOut;
next prev parent reply other threads:[~2026-05-19 10:23 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260519102158.592165-1-dhowells@redhat.com>
2026-05-19 10:21 ` [RFC PATCH 01/36] net: Perform special handling for a splice from a bvecq David Howells
2026-05-19 10:21 ` [RFC PATCH 02/36] netfs: Add a facility to splice TCP receive buffers into " David Howells
2026-05-19 10:21 ` [RFC PATCH 03/36] netfs: Add some TCP receive queue helpers David Howells
2026-05-19 10:21 ` [RFC PATCH 04/36] cifs, nls: Provide unicode size determination func David Howells
2026-05-19 10:21 ` [RFC PATCH 05/36] cifs: Introduce an ALIGN8() macro David Howells
2026-05-19 10:21 ` [RFC PATCH 06/36] cifs: Rename mid_q_entry to smb_message David Howells
2026-05-19 10:21 ` [RFC PATCH 07/36] cifs: Add "Has dynamic part" flag form SMB2/3 StructureSize LSB David Howells
2026-05-19 10:21 ` [RFC PATCH 09/36] cifs: Institute message managing struct David Howells
2026-05-19 10:21 ` [RFC PATCH 10/36] cifs: Split crypt_message() into encrypt and decrypt variants David Howells
2026-05-19 10:21 ` [RFC PATCH 11/36] cifs: Add new AEAD alloc and setup routines that draw from an iterator David Howells
2026-05-19 10:21 ` [RFC PATCH 12/36] cifs: [WIP] Rewrite base Rx to put data off the socket into a bvecq David Howells
2026-05-19 10:21 ` David Howells [this message]
2026-05-19 10:21 ` [RFC PATCH 14/36] cifs: Remove cifs_io_subrequest::got_bytes David Howells
2026-05-19 10:21 ` [RFC PATCH 15/36] cifs: Pass smb_message to cifs_verify_signature() David Howells
2026-05-19 10:21 ` [RFC PATCH 16/36] cifs: Rewrite base TCP transmission David Howells
2026-05-19 10:36 ` Stefan Metzmacher
2026-05-19 10:21 ` [RFC PATCH 17/36] cifs: Don't use corking David Howells
2026-05-19 10:21 ` [RFC PATCH 20/36] cifs: Pass smb_message structs down into the transport layer David Howells
2026-05-19 10:21 ` [RFC PATCH 21/36] cifs: Add a tracepoint to trace the smb_message refcount David Howells
2026-05-19 10:21 ` [RFC PATCH 22/36] cifs: Trace smb1/2_copy_to_prepped_buffers() David Howells
2026-05-19 10:21 ` [RFC PATCH 23/36] cifs: Clean up mid->callback_data and kill off mid->creator David Howells
2026-05-19 10:21 ` [RFC PATCH 24/36] cifs: Add netmem allocation functions David Howells
2026-05-19 10:21 ` [RFC PATCH 25/36] cifs: Add more pieces to smb_message David Howells
2026-05-19 10:21 ` [RFC PATCH 26/36] cifs: Convert SMB2 Negotiate Protocol request David Howells
2026-05-19 10:21 ` [RFC PATCH 27/36] cifs: Convert SMB2 Session Setup request David Howells
2026-05-19 10:21 ` [RFC PATCH 28/36] cifs: Convert SMB2 Logoff request David Howells
2026-05-19 10:21 ` [RFC PATCH 29/36] cifs: Convert SMB2 Tree Connect request David Howells
2026-05-19 10:21 ` [RFC PATCH 30/36] cifs: Convert SMB2 Tree Disconnect request David Howells
2026-05-19 10:21 ` [RFC PATCH 31/36] cifs: Convert SMB2 Read request David Howells
2026-05-19 10:21 ` [RFC PATCH 32/36] cifs: Convert SMB2 Write request David Howells
2026-05-19 10:21 ` [RFC PATCH 33/36] cifs: [WIP] Don't copy new-style smb_messages to a set of pages David Howells
2026-05-19 10:21 ` [RFC PATCH 34/36] cifs: [WIP] Rearrange Create request subfuncs David Howells
2026-05-19 10:21 ` [RFC PATCH 35/36] cifs: [WIP] Convert SMB2 Posix Mkdir request David Howells
2026-05-19 10:21 ` [RFC PATCH 36/36] cifs: [WIP] Convert SMB2 Open request David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519102158.592165-14-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=almasrymina@google.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=metze@samba.org \
--cc=netfs@lists.linux.dev \
--cc=pc@manguebit.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox