From: Namjae Jeon <namjae.jeon@samsung.com> mainline inclusion from mainline-5.15-rc1 commit d347d745f06c7e6503abc08f68dc3b71da71596d category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA Reference: https://git.kernel.org/torvalds/linux/c/d347d745f06c ------------------------------- Move credit charge verification over smb2 request size verification to avoid being skipped. Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Jason Yan <yanaijie@huawei.com> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> --- fs/ksmbd/smb2misc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c index e68aa7d718ed..9aa46bb3e10d 100644 --- a/fs/ksmbd/smb2misc.c +++ b/fs/ksmbd/smb2misc.c @@ -385,6 +385,12 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) } } + if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && + smb2_validate_credit_charge(hdr)) { + work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); + return 1; + } + clc_len = smb2_calc_size(hdr); if (len != clc_len) { /* server can return one byte more due to implied bcc[0] */ @@ -423,12 +429,6 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) return 1; } - if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && - smb2_validate_credit_charge(hdr)) { - work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER); - return 1; - } - return 0; } -- 2.31.1