Skip to content

Commit 2ea086e

Browse files
hcleesmfrench
authored andcommitted
ksmbd: add buffer validation for smb direct
Add buffer validation for smb direct. Acked-by: Namjae Jeon <[email protected]> Signed-off-by: Hyunchul Lee <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent 4bc5947 commit 2ea086e

File tree

1 file changed

+19
-2
lines changed

1 file changed

+19
-2
lines changed

fs/ksmbd/transport_rdma.c

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -549,17 +549,34 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
549549

550550
switch (recvmsg->type) {
551551
case SMB_DIRECT_MSG_NEGOTIATE_REQ:
552+
if (wc->byte_len < sizeof(struct smb_direct_negotiate_req)) {
553+
put_empty_recvmsg(t, recvmsg);
554+
return;
555+
}
552556
t->negotiation_requested = true;
553557
t->full_packet_received = true;
554558
wake_up_interruptible(&t->wait_status);
555559
break;
556560
case SMB_DIRECT_MSG_DATA_TRANSFER: {
557561
struct smb_direct_data_transfer *data_transfer =
558562
(struct smb_direct_data_transfer *)recvmsg->packet;
559-
int data_length = le32_to_cpu(data_transfer->data_length);
563+
unsigned int data_length;
560564
int avail_recvmsg_count, receive_credits;
561565

566+
if (wc->byte_len <
567+
offsetof(struct smb_direct_data_transfer, padding)) {
568+
put_empty_recvmsg(t, recvmsg);
569+
return;
570+
}
571+
572+
data_length = le32_to_cpu(data_transfer->data_length);
562573
if (data_length) {
574+
if (wc->byte_len < sizeof(struct smb_direct_data_transfer) +
575+
(u64)data_length) {
576+
put_empty_recvmsg(t, recvmsg);
577+
return;
578+
}
579+
563580
if (t->full_packet_received)
564581
recvmsg->first_segment = true;
565582

@@ -568,7 +585,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
568585
else
569586
t->full_packet_received = true;
570587

571-
enqueue_reassembly(t, recvmsg, data_length);
588+
enqueue_reassembly(t, recvmsg, (int)data_length);
572589
wake_up_interruptible(&t->wait_reassembly_queue);
573590

574591
spin_lock(&t->receive_credit_lock);

0 commit comments

Comments
 (0)