From: Namjae Jeon linkinjeon@kernel.org
mainline inclusion from mainline-5.15-rc4 commit 4227f811cdeb4d85db91ea6b9adf9ac049cec12e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA
Reference: https://git.kernel.org/torvalds/linux/c/4227f811cdeb
-------------------------------
Validate that the transform and smb request headers are present before checking OriginalMessageSize and SessionId fields.
Cc: Ronnie Sahlberg ronniesahlberg@gmail.com Cc: Ralph Böhme slow@samba.org Cc: Sergey Senozhatsky senozhatsky@chromium.org Reviewed-by: Tom Talpey tom@talpey.com Acked-by: Hyunchul Lee hyc.lee@gmail.com Signed-off-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- fs/ksmbd/smb2pdu.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 67a14c2a1262..525089577d3b 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -8360,16 +8360,8 @@ int smb3_decrypt_req(struct ksmbd_work *work) unsigned int buf_data_size = pdu_length + 4 - sizeof(struct smb2_transform_hdr); struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; - unsigned int orig_len = le32_to_cpu(tr_hdr->OriginalMessageSize); int rc = 0;
- sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); - if (!sess) { - pr_err("invalid session id(%llx) in transform header\n", - le64_to_cpu(tr_hdr->SessionId)); - return -ECONNABORTED; - } - if (pdu_length + 4 < sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) { pr_err("Transform message is too small (%u)\n", @@ -8377,11 +8369,19 @@ int smb3_decrypt_req(struct ksmbd_work *work) return -ECONNABORTED; }
- if (pdu_length + 4 < orig_len + sizeof(struct smb2_transform_hdr)) { + if (pdu_length + 4 < + le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) { pr_err("Transform message is broken\n"); return -ECONNABORTED; }
+ sess = ksmbd_session_lookup_all(conn, le64_to_cpu(tr_hdr->SessionId)); + if (!sess) { + pr_err("invalid session id(%llx) in transform header\n", + le64_to_cpu(tr_hdr->SessionId)); + return -ECONNABORTED; + } + iov[0].iov_base = buf; iov[0].iov_len = sizeof(struct smb2_transform_hdr); iov[1].iov_base = buf + sizeof(struct smb2_transform_hdr);