Skip to content

Commit e7067a4

Browse files
ddisssmfrench
ddiss
authored and
smfrench
committed
ksmbd: avoid out of bounds access in decode_preauth_ctxt()
Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within the SMB request boundary; deassemble_neg_contexts() only checks that the eight byte smb2_neg_context header + (client controlled) DataLength are within the packet boundary, which is insufficient. Checking for sizeof(struct smb2_preauth_neg_context) is overkill given that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. Signed-off-by: David Disseldorp <[email protected]> Acked-by: Namjae Jeon <[email protected]> Cc: <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent 09a9639 commit e7067a4

1 file changed

Lines changed: 14 additions & 9 deletions

File tree

fs/ksmbd/smb2pdu.c

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -876,17 +876,21 @@ static void assemble_neg_contexts(struct ksmbd_conn *conn,
876876
}
877877

878878
static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
879-
struct smb2_preauth_neg_context *pneg_ctxt)
879+
struct smb2_preauth_neg_context *pneg_ctxt,
880+
int len_of_ctxts)
880881
{
881-
__le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
882+
/*
883+
* sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
884+
* which may not be present. Only check for used HashAlgorithms[1].
885+
*/
886+
if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
887+
return STATUS_INVALID_PARAMETER;
882888

883-
if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) {
884-
conn->preauth_info->Preauth_HashId =
885-
SMB2_PREAUTH_INTEGRITY_SHA512;
886-
err = STATUS_SUCCESS;
887-
}
889+
if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)
890+
return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
888891

889-
return err;
892+
conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512;
893+
return STATUS_SUCCESS;
890894
}
891895

892896
static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
@@ -1014,7 +1018,8 @@ static __le32 deassemble_neg_contexts(struct ksmbd_conn *conn,
10141018
break;
10151019

10161020
status = decode_preauth_ctxt(conn,
1017-
(struct smb2_preauth_neg_context *)pctx);
1021+
(struct smb2_preauth_neg_context *)pctx,
1022+
len_of_ctxts);
10181023
if (status != STATUS_SUCCESS)
10191024
break;
10201025
} else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {

0 commit comments

Comments
 (0)