Commit c119f4ed authored Apr 11, 2024 by Namjae Jeon Committed by Steve French Apr 19, 2024

ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf



If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size
validation could be skipped. if request size is smaller than
sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in
smb2_allocate_rsp_buf(). This patch allocate response buffer after
decrypting transform request. smb3_decrypt_req() will validate transform
request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().

Reported-by: Norbert Szetei <norbert@doyensec.com>
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 0bbac3fa

fs/smb/server/server.c

+5 −8

Original line number	Diff line number	Diff line
		@@ -167,20 +167,17 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
		int rc;
		bool is_chained = false;

		if (conn->ops->allocate_rsp_buf(work))
		return;

		if (conn->ops->is_transform_hdr &&
		conn->ops->is_transform_hdr(work->request_buf)) {
		rc = conn->ops->decrypt_req(work);
		if (rc < 0) {
		conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
		goto send;
		}

		if (rc < 0)
		return;
		work->encrypted = true;
		}

		if (conn->ops->allocate_rsp_buf(work))
		return;

		rc = conn->ops->init_rsp_hdr(work);
		if (rc) {
		/* either uid or tid is not correct */