From: Marios Makassikis <mmakassikis@freebox.fr> mainline inclusion from mainline-5.15-rc1 commit a5a25a114ab2412831f063361360eb1192ca6151 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/a5a25a114ab2 ------------------------------- smb2_validate_credit_charge() checks the CreditCharge field in the request is valid with regards to the payload size. The current implementation rejects requests with CreditCharge = 0 and a payload < 64K, even though they should be accepted. Set CreditCharge to a minimum value of 1 to avoid rejecting such requests. This matches what samba4 does. Fixes share enumeration for jcifs-ng clients. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Jason Yan <yanaijie@huawei.com> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> --- fs/ksmbd/smb2misc.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index 730d68032c46..4508631c5706 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -317,14 +317,12 @@ static int smb2_validate_credit_charge(struct smb2_hdr *hdr) return 0; } + credit_charge = max(1, credit_charge); max_len = max(req_len, expect_resp_len); calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); - if (!credit_charge && max_len > SMB2_MAX_BUFFER_SIZE) { - pr_err("credit charge is zero and payload size(%d) is bigger than 64K\n", - max_len); - return 1; - } else if (credit_charge < calc_credit_num) { - pr_err("credit charge : %d, calc_credit_num : %d\n", + + if (credit_charge < calc_credit_num) { + pr_err("Insufficient credit charge, given: %d, needed: %d\n", credit_charge, calc_credit_num); return 1; } -- 2.31.1