ksmbd: validate credit charge after validating SMB2 PDU body size

smb2_validate_credit_charge() accesses fields in the SMB2 PDU body,
but until smb2_calc_size() is called the PDU has not yet been verified
to be large enough to access the PDU dynamic part length field.

Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
index e7e441c..030ca57 100644 (file)
--- a/fs/ksmbd/smb2misc.c
+++ b/fs/ksmbd/smb2misc.c
@@ -400,26 +400,20 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
                }
        }
 
-       if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&
-           smb2_validate_credit_charge(work->conn, hdr)) {
-               work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);
-               return 1;
-       }
-
        if (smb2_calc_size(hdr, &clc_len))
                return 1;
 
        if (len != clc_len) {
                /* client can return one byte more due to implied bcc[0] */
                if (clc_len == len + 1)
-                       return 0;
+                       goto validate_credit;
 
                /*
                 * Some windows servers (win2016) will pad also the final
                 * PDU in a compound to 8 bytes.
                 */
                if (ALIGN(clc_len, 8) == len)
-                       return 0;
+                       goto validate_credit;
 
                /*
                 * windows client also pad up to 8 bytes when compounding.
@@ -432,7 +426,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
                                    "cli req padded more than expected. Length %d not %d for cmd:%d mid:%llu\n",
                                    len, clc_len, command,
                                    le64_to_cpu(hdr->MessageId));
-                       return 0;
+                       goto validate_credit;
                }
 
                ksmbd_debug(SMB,
@@ -443,6 +437,13 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
                return 1;
        }
 
+validate_credit:
+       if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&
+           smb2_validate_credit_charge(work->conn, hdr)) {
+               work->conn->ops->set_rsp_status(work, STATUS_INVALID_PARAMETER);
+               return 1;
+       }
+
        return 0;
 }