]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
ksmbd: tighten create file attribute validation
authorNamjae Jeon <linkinjeon@kernel.org>
Sun, 21 Jun 2026 10:45:07 +0000 (19:45 +0900)
committerSteve French <stfrench@microsoft.com>
Tue, 23 Jun 2026 01:15:05 +0000 (20:15 -0500)
smb2.create.gentest checks each create FileAttributes bit independently and
expects FILE_ATTRIBUTE_INTEGRITY_STREAM and FILE_ATTRIBUTE_NO_SCRUB_DATA to
be rejected with STATUS_INVALID_PARAMETER.

ksmbd validates create FileAttributes against FILE_ATTRIBUTE_MASK, which
includes those bits. It also rejects only requests that have no known
attribute bit at all, so a request containing both known and unknown bits
can pass validation.

Use a create-specific attribute mask that excludes INTEGRITY_STREAM and
NO_SCRUB_DATA, and reject any bit outside that mask.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/smb2pdu.c

index 9a1308f32f455c94147a362b11d421a1fe728c7b..d6001cdce085d7dcad64c51fdeea8cefe7220739 100644 (file)
@@ -57,6 +57,10 @@ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp)
 
 #define WORK_BUFFERS(w, rq, rs)        __wbuf((w), (void **)&(rq), (void **)&(rs))
 
+#define SMB2_CREATE_FILE_ATTRIBUTE_MASK \
+       (FILE_ATTRIBUTE_MASK & ~(FILE_ATTRIBUTE_INTEGRITY_STREAM | \
+                                FILE_ATTRIBUTE_NO_SCRUB_DATA))
+
 /**
  * check_session_id() - check for valid session id in smb header
  * @conn:      connection instance
@@ -3339,7 +3343,8 @@ int smb2_open(struct ksmbd_work *work)
                goto err_out2;
        }
 
-       if (req->FileAttributes && !(req->FileAttributes & FILE_ATTRIBUTE_MASK_LE)) {
+       if (req->FileAttributes &&
+           (req->FileAttributes & ~cpu_to_le32(SMB2_CREATE_FILE_ATTRIBUTE_MASK))) {
                pr_err("Invalid file attribute : 0x%x\n",
                       le32_to_cpu(req->FileAttributes));
                rc = -EINVAL;