Three ksmbd server fixes

-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmVN1/gACgkQiiy9cAdy T1HFlAv9Ejt62uSKquLYpa8OQPUS0L4rxW3RvpfsAdSsnnDWLAeuVPPkTOqTHnw7 0tifp5h9cS8qYsWvACb5MdWPc71J91QU22tMmd8eeW++9IsBNOX/5Ph635PBppxC Q0FL+G2xQ/vlqi0QbkR4SdI7vTvU9LRvxNpqRHgjs4W45r1QC6e9LJ3ncJf1aKfz k2v90M0Oo++YXztLLYPapbtlHYc9c/Xufu6HPbfWH/Ryc2N2CxQ6Z3Kp9RGP5PGk gT4SBVR69VfWHK1JK8dqPkbiaiEyRUxhPVqTCMdVzFbFAhczQbcqa8Ufz9nVXfnO P98cq9c2/NF7JUYQVs6V4kZa74kD8osnuKud6706teM31Zr9OZlq2keyV2Zx1m6I Niwwzdn/lXfT8GCIDE20KNCAdV3y1vu5yQkg3Mnv0Yj1VawyHKlAdYeQ0So5s4Sm B5bXnXr5wgd4ughGYDhO5gCwSn6L8CGwkzQ+bkN4FdjBWPMKVAyuCQL/0UglJ2LK KuQxhCDE =YnRz -----END PGP SIGNATURE----- Merge tag '6.7-rc-smb3-server-part2' of git://git.samba.org/ksmbd Pull smb server fixes from Steve French: - slab out of bounds fix in ACL handling - fix malformed request oops - minor doc fix * tag '6.7-rc-smb3-server-part2' of git://git.samba.org/ksmbd: ksmbd: handle malformed smb1 message ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() ksmbd: fix slab out of bounds write in smb_inherit_dacl()
2024-11-25 21:24:08 +08:00 · 2023-11-10 10:23:53 -08:00 · 2023-11-10 10:23:53 -08:00 · 826c484166
commit 826c484166
parent e21165bfbc 5a5409d90b
3 changed files with 41 additions and 6 deletions
--- a/fs/smb/server/smb_common.c
+++ b/fs/smb/server/smb_common.c
@ -366,11 +366,22 @@ static int smb1_allocate_rsp_buf(struct ksmbd_work *work)
 	return 0;
 }

+/**
+ * set_smb1_rsp_status() - set error type in smb response header
+ * @work:	smb work containing smb response header
+ * @err:	error code to set in response
+ */
+static void set_smb1_rsp_status(struct ksmbd_work *work, __le32 err)
+{
+	work->send_no_response = 1;
+}
+
 static struct smb_version_ops smb1_server_ops = {
 	.get_cmd_val = get_smb1_cmd_val,
 	.init_rsp_hdr = init_smb1_rsp_hdr,
 	.allocate_rsp_buf = smb1_allocate_rsp_buf,
 	.check_user_session = smb1_check_user_session,
+	.set_rsp_status = set_smb1_rsp_status,
 };

 static int smb1_negotiate(struct ksmbd_work *work)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@ -1107,6 +1107,7 @@ pass:
 		struct smb_acl *pdacl;
 		struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL;
 		int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size;
+		int pntsd_alloc_size;

 		if (parent_pntsd->osidoffset) {
 			powner_sid = (struct smb_sid *)((char *)parent_pntsd +
@ -1119,9 +1120,10 @@ pass:
 			pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4);
 		}

-		pntsd = kzalloc(sizeof(struct smb_ntsd) + powner_sid_size +
-				pgroup_sid_size + sizeof(struct smb_acl) +
-				nt_size, GFP_KERNEL);
+		pntsd_alloc_size = sizeof(struct smb_ntsd) + powner_sid_size +
+			pgroup_sid_size + sizeof(struct smb_acl) + nt_size;
+
+		pntsd = kzalloc(pntsd_alloc_size, GFP_KERNEL);
 		if (!pntsd) {
 			rc = -ENOMEM;
 			goto free_aces_base;
@ -1136,6 +1138,27 @@ pass:
 		pntsd->gsidoffset = parent_pntsd->gsidoffset;
 		pntsd->dacloffset = parent_pntsd->dacloffset;

+		if ((u64)le32_to_cpu(pntsd->osidoffset) + powner_sid_size >
+		    pntsd_alloc_size) {
+			rc = -EINVAL;
+			kfree(pntsd);
+			goto free_aces_base;
+		}
+
+		if ((u64)le32_to_cpu(pntsd->gsidoffset) + pgroup_sid_size >
+		    pntsd_alloc_size) {
+			rc = -EINVAL;
+			kfree(pntsd);
+			goto free_aces_base;
+		}
+
+		if ((u64)le32_to_cpu(pntsd->dacloffset) + sizeof(struct smb_acl) + nt_size >
+		    pntsd_alloc_size) {
+			rc = -EINVAL;
+			kfree(pntsd);
+			goto free_aces_base;
+		}
+
 		if (pntsd->osidoffset) {
 			struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd +
 					le32_to_cpu(pntsd->osidoffset));
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@ -1179,6 +1179,7 @@ static int ksmbd_vfs_lookup_in_dir(const struct path *dir, char *name,
 * ksmbd_vfs_kern_path_locked() - lookup a file and get path info
 * @name:		file path that is relative to share
 * @flags:		lookup flags
+ * @parent_path:	if lookup succeed, return parent_path info
 * @path:		if lookup succeed, return path info
 * @caseless:	caseless filename lookup
 *