Commit e814f3fd authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'v6.14-rc-ksmbd-server-fixes' of git://git.samba.org/ksmbd 

Pull smb server updates from Steve French:
 "Three ksmbd server fixes:

   - Fix potential memory corruption in IPC calls

   - Support FSCTL_QUERY_INTERFACE_INFO for more configurations

   - Remove some unused functions"

* tag 'v6.14-rc-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix integer overflows on 32 bit systems
  ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL
  ksmbd: Remove unused functions
parents 8883957b aab98e2d

fs/smb/server/ksmbd_netlink.h

+2 −1
Original line number Diff line number Diff line
@@ -111,7 +111,8 @@ struct ksmbd_startup_request { 
	__u32	smb2_max_credits;	/* MAX credits */

	__u32	smbd_max_io_size;	/* smbd read write size */

	__u32	max_connections;	/* Number of maximum simultaneous connections */

	__u32	reserved[126];		/* Reserved room */

	__s8	bind_interfaces_only;

	__s8	reserved[503];		/* Reserved room */

	__u32	ifc_list_sz;		/* interfaces list size */

	__s8	____payload[];

};

fs/smb/server/server.h

+1 −0
Original line number Diff line number Diff line
@@ -46,6 +46,7 @@ struct ksmbd_server_config { 


	char			*conf[SERVER_CONF_WORK_GROUP + 1];

	struct task_struct	*dh_task;

	bool			bind_interfaces_only;

};



extern struct ksmbd_server_config server_conf;

fs/smb/server/smb2pdu.c

+4 −0
Original line number Diff line number Diff line
@@ -38,6 +38,7 @@ 
#include "mgmt/user_session.h"

#include "mgmt/ksmbd_ida.h"

#include "ndr.h"

#include "transport_tcp.h"



static void __wbuf(struct ksmbd_work *work, void **req, void **rsp)

{
@@ -7759,6 +7760,9 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, 
		if (netdev->type == ARPHRD_LOOPBACK)

			continue;



		if (!ksmbd_find_netdev_name_iface_list(netdev->name))

			continue;



		flags = dev_get_flags(netdev);

		if (!(flags & IFF_RUNNING))

			continue;

fs/smb/server/transport_ipc.c

+10 −25
Original line number Diff line number Diff line
@@ -333,6 +333,7 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) 
	ret = ksmbd_set_netbios_name(req->netbios_name);

	ret |= ksmbd_set_server_string(req->server_string);

	ret |= ksmbd_set_work_group(req->work_group);

	server_conf.bind_interfaces_only = req->bind_interfaces_only;

	ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req),

					req->ifc_list_sz);

	if (ret) {
@@ -626,6 +627,9 @@ ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len) 
	struct ksmbd_spnego_authen_request *req;

	struct ksmbd_spnego_authen_response *resp;



	if (blob_len > KSMBD_IPC_MAX_PAYLOAD)

		return NULL;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) +

			blob_len + 1);

	if (!msg)
@@ -805,6 +809,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle 
	struct ksmbd_rpc_command *req;

	struct ksmbd_rpc_command *resp;



	if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)

		return NULL;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);

	if (!msg)

		return NULL;
@@ -853,6 +860,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle 
	struct ksmbd_rpc_command *req;

	struct ksmbd_rpc_command *resp;



	if (payload_sz > KSMBD_IPC_MAX_PAYLOAD)

		return NULL;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);

	if (!msg)

		return NULL;
@@ -871,31 +881,6 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle 
	return resp;

}



struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payload,

					size_t payload_sz)

{

	struct ksmbd_ipc_msg *msg;

	struct ksmbd_rpc_command *req;

	struct ksmbd_rpc_command *resp;



	msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1);

	if (!msg)

		return NULL;



	msg->type = KSMBD_EVENT_RPC_REQUEST;

	req = (struct ksmbd_rpc_command *)msg->payload;

	req->handle = ksmbd_acquire_id(&ipc_ida);

	req->flags = rpc_context_flags(sess);

	req->flags |= KSMBD_RPC_RAP_METHOD;

	req->payload_sz = payload_sz;

	memcpy(req->payload, payload, payload_sz);



	resp = ipc_msg_send_request(msg, req->handle);

	ipc_msg_handle_free(req->handle);

	ipc_msg_free(msg);

	return resp;

}



static int __ipc_heartbeat(void)

{

	unsigned long delta;

fs/smb/server/transport_ipc.h

+0 −2
Original line number Diff line number Diff line
@@ -41,8 +41,6 @@ struct ksmbd_rpc_command *ksmbd_rpc_write(struct ksmbd_session *sess, int handle 
struct ksmbd_rpc_command *ksmbd_rpc_read(struct ksmbd_session *sess, int handle);

struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct ksmbd_session *sess, int handle,

					  void *payload, size_t payload_sz);

struct ksmbd_rpc_command *ksmbd_rpc_rap(struct ksmbd_session *sess, void *payload,

					size_t payload_sz);

void ksmbd_ipc_release(void);

void ksmbd_ipc_soft_reset(void);

int ksmbd_ipc_init(void);