Merge tag '6.6-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French: "Two SMB3 server fixes for null pointer dereferences: - invalid SMB3 request case (fixes issue found in testing the read compound patch) - iovec error case in response processing" * tag '6.6-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: check iov vector index in ksmbd_conn_write() ksmbd: return invalid parameter error response if smb2 request is invalid
mariux64 · Sep 29, 2023 · 9f3ebbe · 9f3ebbe
2 parents 14c06b9 + 73f949e
commit 9f3ebbe
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
@@ -197,6 +197,9 @@ int ksmbd_conn_write(struct ksmbd_work *work)
 	if (work->send_no_response)
 		return 0;
 
+	if (!work->iov_idx)
+		return -EINVAL;
+
 	ksmbd_conn_lock(conn);
 	sent = conn->transport->ops->writev(conn->transport, work->iov,
 			work->iov_cnt,

diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
@@ -115,8 +115,10 @@ static int __process_request(struct ksmbd_work *work, struct ksmbd_conn *conn,
 	if (check_conn_state(work))
 		return SERVER_HANDLER_CONTINUE;
 
-	if (ksmbd_verify_smb_message(work))
+	if (ksmbd_verify_smb_message(work)) {
+		conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);
 		return SERVER_HANDLER_ABORT;
+	}
 
 	command = conn->ops->get_cmd_val(work);
 	*cmd = command;

diff --git a/fs/smb/server/smb2misc.c b/fs/smb/server/smb2misc.c
@@ -440,10 +440,8 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
 
 validate_credit:
 	if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&
-	    smb2_validate_credit_charge(work->conn, hdr)) {
-		work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);
+	    smb2_validate_credit_charge(work->conn, hdr))
 		return 1;
-	}
 
 	return 0;
 }