| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d7a30cff-e08f-453e-84f2-4584031e3d29@talpey.com>
Date: Tue, 20 Aug 2024 10:52:33 -0400
From: Tom Talpey <tom@...pey.com>
To: Namjae Jeon <linkinjeon@...nel.org>,
Thorsten Blum <thorsten.blum@...lux.com>
Cc: sfrench@...ba.org, senozhatsky@...omium.org, linux-cifs@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ksmbd: Replace one-element arrays with flexible-array
members
On 8/20/2024 10:11 AM, Namjae Jeon wrote:
> On Mon, Aug 19, 2024 at 1:22 AM Thorsten Blum <thorsten.blum@...lux.com> wrote:
>>
>> Replace the deprecated one-element arrays with flexible-array members
>> in the structs copychunk_ioctl_req and smb2_ea_info_req.
>>
>> There are no binary differences after this conversion.
>>
>> Link: https://github.com/KSPP/linux/issues/79
>> Signed-off-by: Thorsten Blum <thorsten.blum@...lux.com>
>> ---
>> fs/smb/server/smb2pdu.c | 4 ++--
>> fs/smb/server/smb2pdu.h | 4 ++--
>> 2 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
>> index 2df1354288e6..83667cb78fa6 100644
>> --- a/fs/smb/server/smb2pdu.c
>> +++ b/fs/smb/server/smb2pdu.c
>> @@ -4580,7 +4580,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp,
>> /* single EA entry is requested with given user.* name */
>> if (req->InputBufferLength) {
>> if (le32_to_cpu(req->InputBufferLength) <
>> - sizeof(struct smb2_ea_info_req))
>> + sizeof(struct smb2_ea_info_req) + 1)
> We can use <= instead of +1.
This is better, but maybe this test was actually not right in
the first place.
I think a strict "<" is correct here, because the ea name
field is a counted array of length EaNameLength. So, it's
a layering issue to fail with EINVAL this early in the
processing. All that should be checked up front is
that a complete smb2_ea_info_req header is present.
>> return -EINVAL;
>>
>> ea_req = (struct smb2_ea_info_req *)((char *)req +
>> @@ -8083,7 +8083,7 @@ int smb2_ioctl(struct ksmbd_work *work)
>> goto out;
>> }
>>
>> - if (in_buf_len < sizeof(struct copychunk_ioctl_req)) {
>> + if (in_buf_len < sizeof(struct copychunk_ioctl_req) + 1) {
> Ditto.
And ditto.
Tom.
>> ret = -EINVAL;
>> goto out;
>> }
>> diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h
>> index 3be7d5ae65a8..73aff20e22d0 100644
>> --- a/fs/smb/server/smb2pdu.h
>> +++ b/fs/smb/server/smb2pdu.h
>> @@ -194,7 +194,7 @@ struct copychunk_ioctl_req {
>> __le64 ResumeKey[3];
>> __le32 ChunkCount;
>> __le32 Reserved;
>> - __u8 Chunks[1]; /* array of srv_copychunk */
>> + __u8 Chunks[]; /* array of srv_copychunk */
>> } __packed;
>>
>> struct srv_copychunk {
>> @@ -370,7 +370,7 @@ struct smb2_file_attr_tag_info {
>> struct smb2_ea_info_req {
>> __le32 NextEntryOffset;
>> __u8 EaNameLength;
>> - char name[1];
>> + char name[];
>> } __packed; /* level 15 Query */
>>
>> struct smb2_ea_info {
>> --
>> 2.46.0
>>
>
Powered by blists - more mailing lists