ksmbd: check protocol id in ksmbd_verify_smb_message()

namjaejeon · smfrench · commit 18a015bccf9e · 2021-09-22T17:21:05.000-05:00
When second smb2 pdu has invalid protocol id, ksmbd doesn't detect it
and allow to process smb2 request. This patch add the check it in
ksmbd_verify_smb_message() and don't use protocol id of smb2 request as
protocol id of response.

Reviewed-by: Ronnie Sahlberg &lt;ronniesahlberg@gmail.com&gt;
Reviewed-by: Ralph Böhme &lt;slow@samba.org&gt;
Reported-by: Ronnie Sahlberg &lt;lsahlber@redhat.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
@@ -433,7 +433,7 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)
 		work->compound_pfid = KSMBD_NO_FID;
 	}
 	memset((char *)rsp_hdr + 4, 0, sizeof(struct smb2_hdr) + 2);
-	rsp_hdr->ProtocolId = rcv_hdr->ProtocolId;
+	rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER;
 	rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE;
 	rsp_hdr->Command = rcv_hdr->Command;
 
diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c
@@ -129,16 +129,22 @@ int ksmbd_lookup_protocol_idx(char *str)
  *
  * check for valid smb signature and packet direction(request/response)
  *
- * Return:      0 on success, otherwise 1
+ * Return:      0 on success, otherwise -EINVAL
  */
 int ksmbd_verify_smb_message(struct ksmbd_work *work)
 {
-	struct smb2_hdr *smb2_hdr = work->request_buf;
+	struct smb2_hdr *smb2_hdr = work->request_buf + work->next_smb2_rcv_hdr_off;
+	struct smb_hdr *hdr;
 
 	if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
 		return ksmbd_smb2_check_message(work);
 
-	return 0;
+	hdr = work->request_buf;
+	if (*(__le32 *)hdr->Protocol == SMB1_PROTO_NUMBER &&
+	    hdr->Command == SMB_COM_NEGOTIATE)
+		return 0;
+
+	return -EINVAL;
 }
 
 /**
@@ -265,7 +271,6 @@ static int ksmbd_negotiate_smb_dialect(void *buf)
 	return BAD_PROT_ID;
 }
 
-#define SMB_COM_NEGOTIATE	0x72
 int ksmbd_init_smb_server(struct ksmbd_work *work)
 {
 	struct ksmbd_conn *conn = work->conn;
diff --git a/fs/ksmbd/smb_common.h b/fs/ksmbd/smb_common.h
@@ -210,6 +210,7 @@
 		FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES)
 
 #define SMB1_PROTO_NUMBER		cpu_to_le32(0x424d53ff)
+#define SMB_COM_NEGOTIATE		0x72
 
 #define SMB1_CLIENT_GUID_SIZE		(16)
 struct smb_hdr {

Original file line number	Diff line number	Diff line change
`@@ -433,7 +433,7 @@ static void init_chained_smb2_rsp(struct ksmbd_work *work)`
`433`	`433`	`work->compound_pfid = KSMBD_NO_FID;`
`434`	`434`	`}`
`435`	`435`	`memset((char *)rsp_hdr + 4, 0, sizeof(struct smb2_hdr) + 2);`
`436`		`- rsp_hdr->ProtocolId = rcv_hdr->ProtocolId;`
	`436`	`+ rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER;`
`437`	`437`	`rsp_hdr->StructureSize = SMB2_HEADER_STRUCTURE_SIZE;`
`438`	`438`	`rsp_hdr->Command = rcv_hdr->Command;`
`439`	`439`
Original file line number	Diff line number	Diff line change
`@@ -129,16 +129,22 @@ int ksmbd_lookup_protocol_idx(char *str)`
`129`	`129`	`*`
`130`	`130`	`* check for valid smb signature and packet direction(request/response)`
`131`	`131`	`*`
`132`		`- * Return: 0 on success, otherwise 1`
	`132`	`+ * Return: 0 on success, otherwise -EINVAL`
`133`	`133`	`*/`
`134`	`134`	`int ksmbd_verify_smb_message(struct ksmbd_work *work)`
`135`	`135`	`{`
`136`		`- struct smb2_hdr *smb2_hdr = work->request_buf;`
	`136`	`+ struct smb2_hdr *smb2_hdr = work->request_buf + work->next_smb2_rcv_hdr_off;`
	`137`	`+ struct smb_hdr *hdr;`
`137`	`138`
`138`	`139`	`if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)`
`139`	`140`	`return ksmbd_smb2_check_message(work);`
`140`	`141`
`141`		`- return 0;`
	`142`	`+ hdr = work->request_buf;`
	`143`	`+ if ((__le32 )hdr->Protocol == SMB1_PROTO_NUMBER &&`
	`144`	`+ hdr->Command == SMB_COM_NEGOTIATE)`
	`145`	`+ return 0;`
	`146`	`+`
	`147`	`+ return -EINVAL;`
`142`	`148`	`}`
`143`	`149`
`144`	`150`	`/**`
`@@ -265,7 +271,6 @@ static int ksmbd_negotiate_smb_dialect(void *buf)`
`265`	`271`	`return BAD_PROT_ID;`
`266`	`272`	`}`
`267`	`273`
`268`		`-#define SMB_COM_NEGOTIATE 0x72`
`269`	`274`	`int ksmbd_init_smb_server(struct ksmbd_work *work)`
`270`	`275`	`{`
`271`	`276`	`struct ksmbd_conn *conn = work->conn;`