lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <05A23230-C800-4693-AB69-273A0B10C822@toblux.com>
Date: Tue, 20 Aug 2024 18:33:28 +0200
From: Thorsten Blum <thorsten.blum@...lux.com>
To: Tom Talpey <tom@...pey.com>
Cc: Namjae Jeon <linkinjeon@...nel.org>,
 sfrench@...ba.org,
 senozhatsky@...omium.org,
 linux-cifs@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ksmbd: Replace one-element arrays with flexible-array
 members

On 20. Aug 2024, at 16:52, Tom Talpey <tom@...pey.com> wrote:
> On 8/20/2024 10:11 AM, Namjae Jeon wrote:
>> On Mon, Aug 19, 2024 at 1:22 AM Thorsten Blum <thorsten.blum@...lux.com> wrote:
>>> 
>>> Replace the deprecated one-element arrays with flexible-array members
>>> in the structs copychunk_ioctl_req and smb2_ea_info_req.
>>> 
>>> There are no binary differences after this conversion.
>>> 
>>> Link: https://github.com/KSPP/linux/issues/79
>>> Signed-off-by: Thorsten Blum <thorsten.blum@...lux.com>
>>> ---
>>>  fs/smb/server/smb2pdu.c | 4 ++--
>>>  fs/smb/server/smb2pdu.h | 4 ++--
>>>  2 files changed, 4 insertions(+), 4 deletions(-)
>>> 
>>> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
>>> index 2df1354288e6..83667cb78fa6 100644
>>> --- a/fs/smb/server/smb2pdu.c
>>> +++ b/fs/smb/server/smb2pdu.c
>>> @@ -4580,7 +4580,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp,
>>>         /* single EA entry is requested with given user.* name */
>>>         if (req->InputBufferLength) {
>>>                 if (le32_to_cpu(req->InputBufferLength) <
>>> -                   sizeof(struct smb2_ea_info_req))
>>> +                   sizeof(struct smb2_ea_info_req) + 1)
>> We can use <= instead of +1.
> 
> This is better, but maybe this test was actually not right in
> the first place.
> 
> I think a strict "<" is correct here, because the ea name
> field is a counted array of length EaNameLength. So, it's
> a layering issue to fail with EINVAL this early in the
> processing. All that should be checked up front is
> that a complete smb2_ea_info_req header is present.

Just to clarify before I submit a v2: Is a strict "<" and without "+1" 
correct?

>>>                         return -EINVAL;
>>> 
>>>                 ea_req = (struct smb2_ea_info_req *)((char *)req +
>>> @@ -8083,7 +8083,7 @@ int smb2_ioctl(struct ksmbd_work *work)
>>>                         goto out;
>>>                 }
>>> 
>>> -               if (in_buf_len < sizeof(struct copychunk_ioctl_req)) {
>>> +               if (in_buf_len < sizeof(struct copychunk_ioctl_req) + 1) {
>> Ditto.
> 
> And ditto.

Same here, strict "<" and without "+ 1"? Or just a refactor to "<=" 
without changing the condition?

Thanks,
Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ