Re: [PATCH 2/2] smb: client: fix OOB reads parsing symlink error response

[ChenXiaoSong]

Sashiko reported the following out-of-bounds issue. I have checked and 
confirmed that this indeed causes an OOB access.

When create fails on symlink, `len` in `smb2_check_message()` may be 
smaller than `calc_len`. The function flow is as follows:

```
smb2_check_message()
  // ensure StructureSize2 is 9
  if (... pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE ...) // 
false
  smb2_calc_size()
    len = le16_to_cpu(shdr->StructureSize) == 64
    len += le16_to_cpu(pdu->StructureSize2) == 64 + 9
    smb2_get_data_area_len
      if (shdr->StructureSize == 9) // true, return NULL
  calc_len == 64 + 9
  if (len != calc_len) { // true
  /* create failed on symlink */
  if (command == SMB2_CREATE_HE && shdr->Status == 
STATUS_STOPPED_ON_SYMLINK) // true
```



Should we add the following check? Or check it in symlink_data()?

```
-- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, 
unsigned int len,
        if (len != calc_len) {
                /* create failed on symlink */
                if (command == SMB2_CREATE_HE &&
-                   shdr->Status == STATUS_STOPPED_ON_SYMLINK)
+                   shdr->Status == STATUS_STOPPED_ON_SYMLINK &&
+                   len > calc_len)
                        return 0;
                /* Windows 7 server returns 24 bytes more */
                if (calc_len + 24 == len && command == 
SMB2_OPLOCK_BREAK_HE)

```

> > --- a/fs/smb/client/smb2file.c
> > +++ b/fs/smb/client/smb2file.c
> > @@ -27,10 +27,11 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
> >  {
> >  	struct smb2_err_rsp *err = iov->iov_base;
> >  	struct smb2_symlink_err_rsp *sym = ERR_PTR(-EINVAL);
> > +	u8 *end = (u8 *)err + iov->iov_len;
> >  	u32 len;
> >  
> >  	if (err->ErrorContextCount) {
> Since smb2_check_message() returns success without length validation for
> the symlink error response, is it possible for iov->iov_len to be smaller
> than sizeof(struct smb2_err_rsp)?
> If the buffer only contains the base SMB2 header (64 bytes), does accessing
> err->ErrorContextCount (at offset 66) or err->ByteCount later in this
> function cause an out-of-bounds read?

--
ChenXiaoSong <chenxiaosong@xxxxxxxxxx>
Chinese Homepage: chenxiaosong.com
English Homepage: chenxiaosong.com/en