Commit 40c18f36 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag '6.2-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd 

Pull ksmb server fixes from Steve French:

 - fix possible infinite loop in socket handler

 - fix possible panic in ntlmv2 authentication

 - fix error handling on tree connect

* tag '6.2-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix infinite loop in ksmbd_conn_handler_loop()
  ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob
  ksmbd: send proper error response in smb2_tree_connect()
parents 526970be 83dcedd5

fs/ksmbd/auth.c

+2 −1
Original line number Diff line number Diff line
@@ -322,7 +322,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob, 
	dn_off = le32_to_cpu(authblob->DomainName.BufferOffset);

	dn_len = le16_to_cpu(authblob->DomainName.Length);



	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len)

	if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len ||

	    nt_len < CIFS_ENCPWD_SIZE)

		return -EINVAL;



	/* TODO : use domain name that imported from configuration file */

fs/ksmbd/connection.c

+5 −2
Original line number Diff line number Diff line
@@ -316,9 +316,12 @@ int ksmbd_conn_handler_loop(void *p) 


		/* 4 for rfc1002 length field */

		size = pdu_size + 4;

		conn->request_buf = kvmalloc(size, GFP_KERNEL);

		conn->request_buf = kvmalloc(size,

					     GFP_KERNEL |

					     __GFP_NOWARN |

					     __GFP_NORETRY);

		if (!conn->request_buf)

			continue;

			break;



		memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf));

		if (!ksmbd_smb_request(conn))

fs/ksmbd/smb2pdu.c

+5 −2
Original line number Diff line number Diff line
@@ -1928,13 +1928,13 @@ int smb2_tree_connect(struct ksmbd_work *work) 
	if (conn->posix_ext_supported)

		status.tree_conn->posix_extensions = true;



out_err1:

	rsp->StructureSize = cpu_to_le16(16);

	inc_rfc1001_len(work->response_buf, 16);

out_err1:

	rsp->Capabilities = 0;

	rsp->Reserved = 0;

	/* default manual caching */

	rsp->ShareFlags = SMB2_SHAREFLAG_MANUAL_CACHING;

	inc_rfc1001_len(work->response_buf, 16);



	if (!IS_ERR(treename))

		kfree(treename);
@@ -1967,6 +1967,9 @@ int smb2_tree_connect(struct ksmbd_work *work) 
		rsp->hdr.Status = STATUS_ACCESS_DENIED;

	}



	if (status.ret != KSMBD_TREE_CONN_STATUS_OK)

		smb2_set_err_rsp(work);



	return rc;

}

fs/ksmbd/transport_tcp.c

+4 −1
Original line number Diff line number Diff line
@@ -295,6 +295,7 @@ static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig, 
	struct msghdr ksmbd_msg;

	struct kvec *iov;

	struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn;

	int max_retry = 2;



	iov = get_conn_iovec(t, nr_segs);

	if (!iov)
@@ -321,9 +322,11 @@ static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig, 
		} else if (conn->status == KSMBD_SESS_NEED_RECONNECT) {

			total_read = -EAGAIN;

			break;

		} else if (length == -ERESTARTSYS || length == -EAGAIN) {

		} else if ((length == -ERESTARTSYS || length == -EAGAIN) &&

			   max_retry) {

			usleep_range(1000, 2000);

			length = 0;

			max_retry--;

			continue;

		} else if (length <= 0) {

			total_read = -EAGAIN;