Skip to content

Commit dec4035

Browse files
pvts-matPlaidCat
pvts-mat
authored and
PlaidCat
committed
smb: client: fix potential OOB in smb2_dump_detail()
jira VULN-6795 cve CVE-2023-6610 commit-author Paulo Alcantara <[email protected]> commit 567320c Validate SMB message with ->check_message() before calling ->calc_smb_size(). This fixes CVE-2023-6610. Reported-by: [email protected] Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218219 Cc; [email protected] Signed-off-by: Paulo Alcantara <[email protected]> Signed-off-by: Steve French <[email protected]> (cherry picked from commit 567320c) Signed-off-by: Marcin Wcisło <[email protected]>
1 parent 7a7f1c0 commit dec4035

File tree

2 files changed

+19
-17
lines changed

2 files changed

+19
-17
lines changed

fs/cifs/smb2misc.c

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,21 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server)
169169
}
170170

171171
mid = le64_to_cpu(shdr->MessageId);
172+
if (check_smb2_hdr(shdr, mid))
173+
return 1;
174+
175+
if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
176+
cifs_dbg(VFS, "Invalid structure size %u\n",
177+
le16_to_cpu(shdr->StructureSize));
178+
return 1;
179+
}
180+
181+
command = le16_to_cpu(shdr->Command);
182+
if (command >= NUMBER_OF_SMB2_COMMANDS) {
183+
cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
184+
return 1;
185+
}
186+
172187
if (len < pdu_size) {
173188
if ((len >= hdr_size)
174189
&& (shdr->Status != 0)) {
@@ -189,21 +204,6 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server)
189204
return 1;
190205
}
191206

192-
if (check_smb2_hdr(shdr, mid))
193-
return 1;
194-
195-
if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
196-
cifs_dbg(VFS, "Invalid structure size %u\n",
197-
le16_to_cpu(shdr->StructureSize));
198-
return 1;
199-
}
200-
201-
command = le16_to_cpu(shdr->Command);
202-
if (command >= NUMBER_OF_SMB2_COMMANDS) {
203-
cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
204-
return 1;
205-
}
206-
207207
if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) {
208208
if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 ||
209209
pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) {

fs/cifs/smb2ops.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -386,8 +386,10 @@ smb2_dump_detail(void *buf, struct TCP_Server_Info *server)
386386
cifs_server_dbg(VFS, "Cmd: %d Err: 0x%x Flags: 0x%x Mid: %llu Pid: %d\n",
387387
shdr->Command, shdr->Status, shdr->Flags, shdr->MessageId,
388388
shdr->Id.SyncId.ProcessId);
389-
cifs_server_dbg(VFS, "smb buf %p len %u\n", buf,
390-
server->ops->calc_smb_size(buf));
389+
if (!server->ops->check_message(buf, server->total_read, server)) {
390+
cifs_server_dbg(VFS, "smb buf %p len %u\n", buf,
391+
server->ops->calc_smb_size(buf));
392+
}
391393
#endif
392394
}
393395

0 commit comments

Comments
 (0)