!1813 ksmbd: fix cve-2023-38432

Merge Pull Request from: @ci-robot PR sync from: Long Li <leo.lilong@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4S4SHAOWCO2WEWFW2EFRTQPJRF5RA2ZA/ Long Li (1): ksmbd: validate command request size Namjae Jeon (1): ksmbd: validate command payload size -- 2.31.1 https://gitee.com/src-openeuler/kernel/issues/I7LU3O Link:https://gitee.com/openeuler/kernel/pulls/1813 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

!1813 ksmbd: fix cve-2023-38432
Merge Pull Request from: @ci-robot PR sync from: Long Li <leo.lilong@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4S4SHAOWCO2WEWFW2EFRTQPJRF5RA2ZA/ Long Li (1): ksmbd: validate command request size Namjae Jeon (1): ksmbd: validate command payload size -- 2.31.1 https://gitee.com/src-openeuler/kernel/issues/I7LU3O Link:https://gitee.com/openeuler/kernel/pulls/1813 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
476d6aa3 · openeuler-ci-bot · Gitee · 04988a23 · 9b99303a · 476d6aa3
显示空白变更内容
内联并排

Showing with 14 addition and 13 deletion

fs/ksmbd/smb2misc.c fs/ksmbd/smb2misc.c +14 -13

未找到文件。
--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -356,6 +356,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
 	int command;
 	__u32 clc_len;  /* calculated length */
 	__u32 len = get_rfc1002_len(work->request_buf);
+	__u32 req_struct_size;
 	if (le32_to_cpu(hdr->NextCommand) > 0)
 		len = le32_to_cpu(hdr->NextCommand);
@@ -378,25 +379,25 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
 	}
 	if (smb2_req_struct_sizes[command] != pdu->StructureSize2) {
-		if (command != SMB2_OPLOCK_BREAK_HE &&
+		if (!(command == SMB2_OPLOCK_BREAK_HE &&
-		    (hdr->Status == 0 || pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) {
+		    (le16_to_cpu(pdu->StructureSize2) == OP_BREAK_STRUCT_SIZE_20 ||
-			/* error packets have 9 byte structure size */
+		    le16_to_cpu(pdu->StructureSize2) == OP_BREAK_STRUCT_SIZE_21))) {
+			/* special case for SMB2.1 lease break message */
 			ksmbd_debug(SMB,
 				"Illegal request size %u for command %d\n",
 				le16_to_cpu(pdu->StructureSize2), command);
 			return 1;
-		} else if (command == SMB2_OPLOCK_BREAK_HE &&
-			   hdr->Status == 0 &&
-			   le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_20 &&
-			   le16_to_cpu(pdu->StructureSize2) != OP_BREAK_STRUCT_SIZE_21) {
-			/* special case for SMB2.1 lease break message */
-			ksmbd_debug(SMB,
-				    "Illegal request size %d for oplock break\n",
-				    le16_to_cpu(pdu->StructureSize2));
-			return 1;
 		}
 	}
+	req_struct_size = le16_to_cpu(pdu->StructureSize2) +
+		__SMB2_HEADER_STRUCTURE_SIZE;
+	if (command == SMB2_LOCK_HE)
+		req_struct_size -= sizeof(struct smb2_lock_element);
+	if (req_struct_size > len + 1)
+		return 1;
 	if (smb2_calc_size(hdr, &clc_len))
 		return 1;