smb: client: fix potential OOB in smb2_dump_detail()

Validate SMB message with ->check_message() before calling
->calc_smb_size().

This fixes CVE-2023-6610.

Reported-by: j51569436@gmail.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218219
Cc; stable@vger.kernel.org
Signed-off-by: Paulo Alcantara <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/smb2misc.c b/fs/smb/client/smb2misc.c
index e20b4354e703b8e9662808bf19441fe91a7f682b..82b84a4941dd2f05e8d516b54b6a209dbd7985d1 100644 (file)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -173,6 +173,21 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server)
        }
 
        mid = le64_to_cpu(shdr->MessageId);
+       if (check_smb2_hdr(shdr, mid))
+               return 1;
+
+       if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
+               cifs_dbg(VFS, "Invalid structure size %u\n",
+                        le16_to_cpu(shdr->StructureSize));
+               return 1;
+       }
+
+       command = le16_to_cpu(shdr->Command);
+       if (command >= NUMBER_OF_SMB2_COMMANDS) {
+               cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
+               return 1;
+       }
+
        if (len < pdu_size) {
                if ((len >= hdr_size)
                    && (shdr->Status != 0)) {
@@ -193,21 +208,6 @@ smb2_check_message(char *buf, unsigned int len, struct TCP_Server_Info *server)
                return 1;
        }
 
-       if (check_smb2_hdr(shdr, mid))
-               return 1;
-
-       if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
-               cifs_dbg(VFS, "Invalid structure size %u\n",
-                        le16_to_cpu(shdr->StructureSize));
-               return 1;
-       }
-
-       command = le16_to_cpu(shdr->Command);
-       if (command >= NUMBER_OF_SMB2_COMMANDS) {
-               cifs_dbg(VFS, "Invalid SMB2 command %d\n", command);
-               return 1;
-       }
-
        if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) {
                if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 ||
                    pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) {

diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 62b0a8df867baa666c25b5b35bf103826e69ed55..66b310208545bfa224bcb0d06e1fed69973b3aee 100644 (file)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -403,8 +403,10 @@ smb2_dump_detail(void *buf, struct TCP_Server_Info *server)
        cifs_server_dbg(VFS, "Cmd: %d Err: 0x%x Flags: 0x%x Mid: %llu Pid: %d\n",
                 shdr->Command, shdr->Status, shdr->Flags, shdr->MessageId,
                 shdr->Id.SyncId.ProcessId);
-       cifs_server_dbg(VFS, "smb buf %p len %u\n", buf,
-                server->ops->calc_smb_size(buf));
+       if (!server->ops->check_message(buf, server->total_read, server)) {
+               cifs_server_dbg(VFS, "smb buf %p len %u\n", buf,
+                               server->ops->calc_smb_size(buf));
+       }
 #endif
 }