SMB1 fixes #399
SMB1 fixes #399
Conversation
mmakassikis
force-pushed
the
marios/smb1-fixes
branch
from
935ba12
to
94d95ac
Compare
auth.c
Outdated
| @@ -330,16 +330,23 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash, | |||
| * ksmbd_auth_ntlm() - NTLM authentication handler | |||
| * @sess: session of connection | |||
| * @pw_buf: NTLM challenge response | |||
| * @passkey: user password | |||
| * @pw_len: buffer length | |||
| * @cryptkey: buffer length | |||
There was a problem hiding this comment.
- * @cryptkey: buffer length
+ * @cryptkey: server challenge
|
I have applied 3 patches first. I need more time to review "ksmbd: smb1: add buffer validation" patch. |
namjaejeon
force-pushed
the
master
branch
2 times, most recently
from
80f76a4
to
cdd2c68
Compare
namjaejeon
force-pushed
the
master
branch
2 times, most recently
from
598c4b4
to
9ef42e9
Compare
|
@mmakassikis Sorry for checking "ksmbd: smb1: add buffer validation" patch. I will check it on weekend. |
Okay, I will review this patch on weekend. |
smb1pdu.c
Outdated
| pr_err("Unable to strdup() treename or devtype uid %d\n", | ||
| rsp_hdr->Uid); | ||
| offset += offsetof(struct smb_com_tconx_req, Password); | ||
| offset += le16_to_cpu(req->PasswordLength); |
There was a problem hiding this comment.
Have you tested if req->PasswordLength is zero ?
There was a problem hiding this comment.
If req->PasswordLength is zero, offset is unchanged (incidentally, the current code works because req->PasswordLength == le16_to_cpu(req->PasswordLength)).
I don't see what problems can arise with req->PasswordLength.
smb1pdu.c
Outdated
| @@ -1007,6 +1036,12 @@ static int build_sess_rsp_extsec(struct ksmbd_conn *conn, | |||
| negblob = (struct negotiate_message *)req->SecurityBlob; | |||
| sz = le16_to_cpu(req->SecurityBlobLength); | |||
|
|
|||
| if (offsetof(struct smb_com_session_setup_req, SecurityBlob) + sz > | |||
| get_rfc1002_len(req)) { | |||
There was a problem hiding this comment.
This check can be moved to smb1misc.c ?
|
@mmakassikis When I checked smb1 buffer validation patch, You need to move some of validation codes to smb1misc.c. I think that you can check codes in smb2misc.c |
| { | ||
| struct andx_block *andx_ptr = (struct andx_block *)(buf + | ||
| sizeof(struct smb_hdr) - 1); | ||
| struct andx_block *next; | ||
|
|
||
| /* AndXOffset does not include 4 byte RFC1002 header */ | ||
| len -= 4; |
There was a problem hiding this comment.
Does the "len" include 4-byte RFC1002 header?
There was a problem hiding this comment.
buf is the full request (RFC1002 header, followed by SMB2 header and payload). len should those 4 bytes.
The code here is correct, but the caller code is wrong as it uses get_rfc1002_len() which is the buffer length minus 4.
This mistake is present in most if not all changes in this patch.
smb1pdu.c
Outdated
| else { | ||
| oldname_len = strlen(oldname); | ||
| oldname_len++; | ||
| } | ||
|
|
||
| offset += oldname_len + 2; | ||
| if (offset > maxlen) { |
There was a problem hiding this comment.
instead of offset > maxlen, offset >= maxlen?
There was a problem hiding this comment.
Yes. Actually, I thought it was ok as we passed a calculated length to smb_get_name(), but if the request is malformed, it's possible to have offset > maxlen, in which case the negative "maxlen - offset" will cause an infinite loop in smb_utf16_bytes().
I will update the patch to check offset >= maxlen before calling smb_get_name().
smb1pdu.c
Outdated
| @@ -1936,9 +1982,18 @@ int smb_trans(struct ksmbd_work *work) | |||
| if (req->SetupCount) | |||
| setup_bytes_count = 2 * req->SetupCount; | |||
|
|
|||
| maxlen = get_rfc1002_len(req); | |||
| offset = offsetof(struct smb_com_trans_req, Data); | |||
There was a problem hiding this comment.
Doesn't 1-byte, smb_com_trans_req.Data[1] need to be considered?
There was a problem hiding this comment.
I don't understand.
Currently, the code parses up to 256 bytes starting from req->Data + setup_bytes_count. My change initializes the offset to req->Data. Whether the Data field is Data[0] or Data[1] doesn't matter, no ?
namjaejeon
force-pushed
the
master
branch
7 times, most recently
from
d055654
to
7202068
Compare
namjaejeon
force-pushed
the
master
branch
9 times, most recently
from
c683c7d
to
04bf112
Compare
namjaejeon
force-pushed
the
master
branch
3 times, most recently
from
4777128
to
40de0c8
Compare
namjaejeon
force-pushed
the
master
branch
6 times, most recently
from
5fade64
to
1ebde87
Compare
namjaejeon
force-pushed
the
master
branch
7 times, most recently
from
7325a44
to
fe243b7
Compare
namjaejeon
force-pushed
the
master
branch
2 times, most recently
from
02d9c6e
to
d6fb37b
Compare
namjaejeon
force-pushed
the
master
branch
3 times, most recently
from
6209cee
to
332f4ca
Compare
namjaejeon
force-pushed
the
master
branch
3 times, most recently
from
f389804
to
8dffdce
Compare
namjaejeon
force-pushed
the
master
branch
2 times, most recently
from
9d7a48d
to
45a4e49
Compare
A few fixes SMB1 fixes:
The first 3 ones small fixes. The last one is big, but it is essentially the same pattern repeated over and over again.
I tried sending to the linux-cifsd-devel list, but it looks like the project has been deleted from sourceforge.