8935 SMB ioctl fixes incomplete

Reviewed by: Alex Wilson <alex.wilson@joyent.com> Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com> Reviewed by: Rui Loura <rui.loura@joyent.com> Reviewed by: Garrett D'Amore <garrett@damore.org> Reviewed by: Dominik Hassler <hasslerd@gmx.li> Approved by: Garrett D'Amore <garrett@damore.org>
illumos · Dec 22, 2017 · 1d443a9 · 1d443a9
1 parent 1b44c77
commit 1d443a9
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/usr/src/uts/common/fs/smbsrv/smb_kshare.c b/usr/src/uts/common/fs/smbsrv/smb_kshare.c
@@ -22,6 +22,7 @@
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2013 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent, Inc.
  */
 
 #include <smbsrv/smb_door.h>
@@ -386,6 +387,15 @@ smb_kshare_export_list(smb_ioc_share_t *ioc)
 		goto out;
 	}
 
+	/*
+	 * Reality check that the nvlist's reported length doesn't exceed the
+	 * ioctl's total length.  We then assume the nvlist_unpack() will
+	 * sanity check the nvlist itself.
+	 */
+	if ((ioc->shrlen + offsetof(smb_ioc_share_t, shr)) > ioc->hdr.len) {
+		rc = EINVAL;
+		goto out;
+	}
 	rc = nvlist_unpack(ioc->shr, ioc->shrlen, &shrlist, KM_SLEEP);
 	if (rc != 0)
 		goto out;
@@ -463,6 +473,15 @@ smb_kshare_unexport_list(smb_ioc_share_t *ioc)
 	if ((rc = smb_server_lookup(&sv)) != 0)
 		return (rc);
 
+	/*
+	 * Reality check that the nvlist's reported length doesn't exceed the
+	 * ioctl's total length.  We then assume the nvlist_unpack() will
+	 * sanity check the nvlist itself.
+	 */
+	if ((ioc->shrlen + offsetof(smb_ioc_share_t, shr)) > ioc->hdr.len) {
+		rc = EINVAL;
+		goto out;
+	}
 	if ((rc = nvlist_unpack(ioc->shr, ioc->shrlen, &shrlist, 0)) != 0)
 		goto out;
 

diff --git a/usr/src/uts/common/fs/smbsrv/smb_server.c b/usr/src/uts/common/fs/smbsrv/smb_server.c
@@ -535,6 +535,12 @@ smb_server_configure(smb_ioc_cfg_t *ioc)
 	int		rc = 0;
 	smb_server_t	*sv;
 
+	/*
+	 * Reality check negotiation token length vs. #define'd maximum.
+	 */
+	if (ioc->negtok_len > SMB_PI_MAX_NEGTOK)
+		return (EINVAL);
+
 	rc = smb_server_lookup(&sv);
 	if (rc)
 		return (rc);
@@ -842,6 +848,13 @@ smb_server_enum(smb_ioc_svcenum_t *ioc)
 	smb_server_t	*sv;
 	int		rc;
 
+	/*
+	 * Reality check that the buffer-length insize the enum doesn't
+	 * overrun the ioctl's total length.
+	 */
+	if (svcenum->se_buflen + sizeof (*ioc) > ioc->hdr.len)
+		return (EINVAL);
+
 	if ((rc = smb_server_lookup(&sv)) != 0)
 		return (rc);
 

diff --git a/usr/src/uts/common/smbsrv/smb_ioctl.h b/usr/src/uts/common/smbsrv/smb_ioctl.h
@@ -126,6 +126,7 @@ typedef struct smb_svcenum {
 	uint32_t	se_type;	/* object type to enumerate */
 	uint32_t	se_level;	/* level of detail being requested */
 	uint32_t	se_prefmaxlen;	/* client max size buffer preference */
+					/* (ignored by kernel) */
 	uint32_t	se_resume;	/* client resume handle */
 	uint32_t	se_bavail;	/* remaining buffer space in bytes */
 	uint32_t	se_bused;	/* consumed buffer space in bytes */