Commit eee7f5b4 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 

Pull smb client fixes from Steve French:

 - two multichannel reconnect fixes, one fixing an important refcounting
   problem that can lead to umount problems

 - atime fix

 - five fixes for various potential OOB accesses, including a CVE fix,
   and two additional fixes for problems pointed out by Robert Morris's
   fuzzing investigation

* tag '6.7-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: do not let cifs_chan_update_iface deallocate channels
  cifs: fix a pending undercount of srv_count
  fs: cifs: Fix atime update check
  smb: client: fix potential OOB in smb2_dump_detail()
  smb: client: fix potential OOB in cifs_dump_detail()
  smb: client: fix OOB in smbCalcSize()
  smb: client: fix OOB in SMB2_query_info_init()
  smb: client: fix OOB in cifsd when receiving compounded resps
parents 1bf5c892 12d1e301

fs/smb/client/cifs_debug.c

+7 −5
Original line number Diff line number Diff line
@@ -40,11 +40,13 @@ void cifs_dump_detail(void *buf, struct TCP_Server_Info *server) 
#ifdef CONFIG_CIFS_DEBUG2

	struct smb_hdr *smb = buf;



	cifs_dbg(VFS, "Cmd: %d Err: 0x%x Flags: 0x%x Flgs2: 0x%x Mid: %d Pid: %d\n",

		 smb->Command, smb->Status.CifsError,

		 smb->Flags, smb->Flags2, smb->Mid, smb->Pid);

	cifs_dbg(VFS, "Cmd: %d Err: 0x%x Flags: 0x%x Flgs2: 0x%x Mid: %d Pid: %d Wct: %d\n",

		 smb->Command, smb->Status.CifsError, smb->Flags,

		 smb->Flags2, smb->Mid, smb->Pid, smb->WordCount);

	if (!server->ops->check_message(buf, server->total_read, server)) {

		cifs_dbg(VFS, "smb buf %p len %u\n", smb,

			 server->ops->calc_smb_size(smb));

	}

#endif /* CONFIG_CIFS_DEBUG2 */

}

fs/smb/client/cifsglob.h

+2 −1
Original line number Diff line number Diff line
@@ -532,7 +532,8 @@ struct smb_version_operations { 
				 struct mid_q_entry **, char **, int *);

	enum securityEnum (*select_sectype)(struct TCP_Server_Info *,

			    enum securityEnum);

	int (*next_header)(char *);

	int (*next_header)(struct TCP_Server_Info *server, char *buf,

			   unsigned int *noff);

	/* ioctl passthrough for query_info */

	int (*ioctl_query_info)(const unsigned int xid,

				struct cifs_tcon *tcon,

fs/smb/client/connect.c

+6 −1
Original line number Diff line number Diff line
@@ -1201,7 +1201,12 @@ cifs_demultiplex_thread(void *p) 
		server->total_read += length;



		if (server->ops->next_header) {

			next_offset = server->ops->next_header(buf);

			if (server->ops->next_header(server, buf, &next_offset)) {

				cifs_dbg(VFS, "%s: malformed response (next_offset=%u)\n",

					 __func__, next_offset);

				cifs_reconnect(server, true);

				continue;

			}

			if (next_offset)

				server->pdu_size = next_offset;

		}

fs/smb/client/file.c

+1 −1
Original line number Diff line number Diff line
@@ -4671,7 +4671,7 @@ static int cifs_readpage_worker(struct file *file, struct page *page, 
	/* we do not want atime to be less than mtime, it broke some apps */

	atime = inode_set_atime_to_ts(inode, current_time(inode));

	mtime = inode_get_mtime(inode);

	if (timespec64_compare(&atime, &mtime))

	if (timespec64_compare(&atime, &mtime) < 0)

		inode_set_atime_to_ts(inode, inode_get_mtime(inode));



	if (PAGE_SIZE > rc)

fs/smb/client/misc.c

+4 −0
Original line number Diff line number Diff line
@@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) 
			cifs_dbg(VFS, "Length less than smb header size\n");

		}

		return -EIO;

	} else if (total_read < sizeof(*smb) + 2 * smb->WordCount) {

		cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n",

			 __func__, smb->WordCount);

		return -EIO;

	}



	/* otherwise, there is enough to get to the BCC */