ksmbd: fix out of bounds in init_smb2_rsp_hdr()

If client send smb2 negotiate request and then send smb1 negotiate request, init_smb2_rsp_hdr is called for smb1 negotiate request since need_neg is set to false. This patch ignore smb1 packets after ->need_neg is set to false. Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21541 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
author: Namjae Jeon <linkinjeon@kernel.org> 2023-07-23 15:27:37 +0900
committer: Steve French <stfrench@microsoft.com> 2023-07-23 10:25:11 -0500
commit: 536bb492d39bb6c080c92f31e8a55fe9934f452b (patch)
tree: d88bd5f8284b25fd35f03fb188f160daf0c6e1a5 /fs/smb/server/server.c
parent: e202a1e8634b186da38cbbff85382ea2b9e297cf (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
index ced7a9e916f0..9df121bdf349 100644
--- a/fs/smb/server/server.c
+++ b/fs/smb/server/server.c
@@ -286,6 +286,7 @@ static void handle_ksmbd_work(struct work_struct *wk)
 static int queue_ksmbd_work(struct ksmbd_conn *conn)
 {
 	struct ksmbd_work *work;
+	int err;
 
 	work = ksmbd_alloc_work_struct();
 	if (!work) {
@@ -297,7 +298,11 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn)
 	work->request_buf = conn->request_buf;
 	conn->request_buf = NULL;
 
-	ksmbd_init_smb_server(work);
+	err = ksmbd_init_smb_server(work);
+	if (err) {
+		ksmbd_free_work_struct(work);
+		return 0;
+	}
 
 	ksmbd_conn_enqueue_request(work);
 	atomic_inc(&conn->r_count);
author	Namjae Jeon <linkinjeon@kernel.org>	2023-07-23 15:27:37 +0900
committer	Steve French <stfrench@microsoft.com>	2023-07-23 10:25:11 -0500
commit	536bb492d39bb6c080c92f31e8a55fe9934f452b (patch)
tree	d88bd5f8284b25fd35f03fb188f160daf0c6e1a5 /fs/smb/server/server.c
parent	e202a1e8634b186da38cbbff85382ea2b9e297cf (diff)