Commit c7705eec authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French

ksmbd: use buf_data_size instead of recalculation in smb3_decrypt_req()

Tom suggested to use buf_data_size that is already calculated, to verify
these offsets.

Cc: Tom Talpey <tom@talpey.com>
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Ralph Böhme <slow@samba.org>
Suggested-by: default avatarTom Talpey <tom@talpey.com>
Acked-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 51a13873
...@@ -8395,20 +8395,18 @@ int smb3_decrypt_req(struct ksmbd_work *work) ...@@ -8395,20 +8395,18 @@ int smb3_decrypt_req(struct ksmbd_work *work)
struct smb2_hdr *hdr; struct smb2_hdr *hdr;
unsigned int pdu_length = get_rfc1002_len(buf); unsigned int pdu_length = get_rfc1002_len(buf);
struct kvec iov[2]; struct kvec iov[2];
unsigned int buf_data_size = pdu_length + 4 - int buf_data_size = pdu_length + 4 -
sizeof(struct smb2_transform_hdr); sizeof(struct smb2_transform_hdr);
struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf; struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)buf;
int rc = 0; int rc = 0;
if (pdu_length + 4 < if (buf_data_size < sizeof(struct smb2_hdr)) {
sizeof(struct smb2_transform_hdr) + sizeof(struct smb2_hdr)) {
pr_err("Transform message is too small (%u)\n", pr_err("Transform message is too small (%u)\n",
pdu_length); pdu_length);
return -ECONNABORTED; return -ECONNABORTED;
} }
if (pdu_length + 4 < if (buf_data_size < le32_to_cpu(tr_hdr->OriginalMessageSize)) {
le32_to_cpu(tr_hdr->OriginalMessageSize) + sizeof(struct smb2_transform_hdr)) {
pr_err("Transform message is broken\n"); pr_err("Transform message is broken\n");
return -ECONNABORTED; return -ECONNABORTED;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment