fix for smb311 client negotiate context overflow, also marked for stable

-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmQ7N54ACgkQiiy9cAdy T1GSeQwAuz5qds5hFwc7Z37ElcA6wEqVuNRV7xqgYL3QTAw9rUc56JyUIsJMscy9 /PXXKeZdejyWzZ2OShdpS9vciVzgXyVLVVKIDvy0BUif79fIlBwjPYEXBS39Cet0 vjdTNYl7hAXAK0UXA+II/2SoCjvh6ho8quN7hRQPHKr1PMrQWmqtipbyWXzgOUEU TO2MTNFakv2PiFYF0CvGsyHpvbgZWViSqQ7Pt1VpZwCwB3USImBTn8dl6lPJZHXq RWAoE7hoE075xxCUr4/+VTWCJBC2OFhprrhEEOj+y1lQCoMOPO4vDd73ctBkfL0o 01IlE5q5aOZILkg2EramoynDfOElJ8gbcfRi+8s/ErbrWLRiotyBNElK2ig8JNTH aHU/39KFgkVlsfeyXBPLY8sB/WPoVfwjL2k/P/YuUWGfFZoYqqoxs4x9+gS5p3cZ HuFwjiiJFllX3BRtyINysv5u2PfUoKaNs0eFnELSKS4dvWVXts6rjM4fYCNSeI00 nRHbtnYD =makV -----END PGP SIGNATURE----- Merge tag '6.3-rc6-smb311-client-negcontext-fix' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fix from Steve French: "Small client fix for better checking for smb311 negotiate context overflows, also marked for stable" * tag '6.3-rc6-smb311-client-negcontext-fix' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix negotiate context parsing
2025-01-01 10:42:11 +00:00 · 2023-04-15 18:37:51 -07:00 · 2023-04-15 18:37:51 -07:00 · 3e7bb4f246
commit 3e7bb4f246
parent bc88aa51a6 5105a7ffce
1 changed files with 31 additions and 10 deletions
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@ -587,11 +587,15 @@ assemble_neg_contexts(struct smb2_negotiate_req *req,

 }

+/* If invalid preauth context warn but use what we requested, SHA-512 */
 static void decode_preauth_context(struct smb2_preauth_neg_context *ctxt)
 {
 	unsigned int len = le16_to_cpu(ctxt->DataLength);

-	/* If invalid preauth context warn but use what we requested, SHA-512 */
+	/*
+	 * Caller checked that DataLength remains within SMB boundary. We still
+	 * need to confirm that one HashAlgorithms member is accounted for.
+	 */
 	if (len < MIN_PREAUTH_CTXT_DATA_LEN) {
 		pr_warn_once("server sent bad preauth context\n");
 		return;
@ -610,7 +614,11 @@ static void decode_compress_ctx(struct TCP_Server_Info *server,
 {
 	unsigned int len = le16_to_cpu(ctxt->DataLength);

-	/* sizeof compress context is a one element compression capbility struct */
+	/*
+	 * Caller checked that DataLength remains within SMB boundary. We still
+	 * need to confirm that one CompressionAlgorithms member is accounted
+	 * for.
+	 */
 	if (len < 10) {
 		pr_warn_once("server sent bad compression cntxt\n");
 		return;
@ -632,6 +640,11 @@ static int decode_encrypt_ctx(struct TCP_Server_Info *server,
 	unsigned int len = le16_to_cpu(ctxt->DataLength);

 	cifs_dbg(FYI, "decode SMB3.11 encryption neg context of len %d\n", len);
+	/*
+	 * Caller checked that DataLength remains within SMB boundary. We still
+	 * need to confirm that one Cipher flexible array member is accounted
+	 * for.
+	 */
 	if (len < MIN_ENCRYPT_CTXT_DATA_LEN) {
 		pr_warn_once("server sent bad crypto ctxt len\n");
 		return -EINVAL;
@ -678,6 +691,11 @@ static void decode_signing_ctx(struct TCP_Server_Info *server,
 {
 	unsigned int len = le16_to_cpu(pctxt->DataLength);

+	/*
+	 * Caller checked that DataLength remains within SMB boundary. We still
+	 * need to confirm that one SigningAlgorithms flexible array member is
+	 * accounted for.
+	 */
 	if ((len < 4) || (len > 16)) {
 		pr_warn_once("server sent bad signing negcontext\n");
 		return;
@ -719,14 +737,19 @@ static int smb311_decode_neg_context(struct smb2_negotiate_rsp *rsp,
 	for (i = 0; i < ctxt_cnt; i++) {
 		int clen;
 		/* check that offset is not beyond end of SMB */
-		if (len_of_ctxts == 0)
-			break;
-
 		if (len_of_ctxts < sizeof(struct smb2_neg_context))
 			break;

 		pctx = (struct smb2_neg_context *)(offset + (char *)rsp);
-		clen = le16_to_cpu(pctx->DataLength);
+		clen = sizeof(struct smb2_neg_context)
+			+ le16_to_cpu(pctx->DataLength);
+		/*
+		 * 2.2.4 SMB2 NEGOTIATE Response
+		 * Subsequent negotiate contexts MUST appear at the first 8-byte
+		 * aligned offset following the previous negotiate context.
+		 */
+		if (i + 1 != ctxt_cnt)
+			clen = ALIGN(clen, 8);
 		if (clen > len_of_ctxts)
 			break;

@ -747,12 +770,10 @@ static int smb311_decode_neg_context(struct smb2_negotiate_rsp *rsp,
 		else
 			cifs_server_dbg(VFS, "unknown negcontext of type %d ignored\n",
 				le16_to_cpu(pctx->ContextType));
-
 		if (rc)
 			break;
-		/* offsets must be 8 byte aligned */
-		clen = ALIGN(clen, 8);
-		offset += clen + sizeof(struct smb2_neg_context);
+
+		offset += clen;
 		len_of_ctxts -= clen;
 	}
 	return rc;