lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d7a30cff-e08f-453e-84f2-4584031e3d29@talpey.com>
Date: Tue, 20 Aug 2024 10:52:33 -0400
From: Tom Talpey <tom@...pey.com>
To: Namjae Jeon <linkinjeon@...nel.org>,
 Thorsten Blum <thorsten.blum@...lux.com>
Cc: sfrench@...ba.org, senozhatsky@...omium.org, linux-cifs@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ksmbd: Replace one-element arrays with flexible-array
 members

On 8/20/2024 10:11 AM, Namjae Jeon wrote:
> On Mon, Aug 19, 2024 at 1:22 AM Thorsten Blum <thorsten.blum@...lux.com> wrote:
>>
>> Replace the deprecated one-element arrays with flexible-array members
>> in the structs copychunk_ioctl_req and smb2_ea_info_req.
>>
>> There are no binary differences after this conversion.
>>
>> Link: https://github.com/KSPP/linux/issues/79
>> Signed-off-by: Thorsten Blum <thorsten.blum@...lux.com>
>> ---
>>   fs/smb/server/smb2pdu.c | 4 ++--
>>   fs/smb/server/smb2pdu.h | 4 ++--
>>   2 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
>> index 2df1354288e6..83667cb78fa6 100644
>> --- a/fs/smb/server/smb2pdu.c
>> +++ b/fs/smb/server/smb2pdu.c
>> @@ -4580,7 +4580,7 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp,
>>          /* single EA entry is requested with given user.* name */
>>          if (req->InputBufferLength) {
>>                  if (le32_to_cpu(req->InputBufferLength) <
>> -                   sizeof(struct smb2_ea_info_req))
>> +                   sizeof(struct smb2_ea_info_req) + 1)
> We can use <= instead of +1.

This is better, but maybe this test was actually not right in
the first place.

I think a strict "<" is correct here, because the ea name
field is a counted array of length EaNameLength. So, it's
a layering issue to fail with EINVAL this early in the
processing. All that should be checked up front is
that a complete smb2_ea_info_req header is present.

>>                          return -EINVAL;
>>
>>                  ea_req = (struct smb2_ea_info_req *)((char *)req +
>> @@ -8083,7 +8083,7 @@ int smb2_ioctl(struct ksmbd_work *work)
>>                          goto out;
>>                  }
>>
>> -               if (in_buf_len < sizeof(struct copychunk_ioctl_req)) {
>> +               if (in_buf_len < sizeof(struct copychunk_ioctl_req) + 1) {
> Ditto.

And ditto.

Tom.

>>                          ret = -EINVAL;
>>                          goto out;
>>                  }
>> diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h
>> index 3be7d5ae65a8..73aff20e22d0 100644
>> --- a/fs/smb/server/smb2pdu.h
>> +++ b/fs/smb/server/smb2pdu.h
>> @@ -194,7 +194,7 @@ struct copychunk_ioctl_req {
>>          __le64 ResumeKey[3];
>>          __le32 ChunkCount;
>>          __le32 Reserved;
>> -       __u8 Chunks[1]; /* array of srv_copychunk */
>> +       __u8 Chunks[]; /* array of srv_copychunk */
>>   } __packed;
>>
>>   struct srv_copychunk {
>> @@ -370,7 +370,7 @@ struct smb2_file_attr_tag_info {
>>   struct smb2_ea_info_req {
>>          __le32 NextEntryOffset;
>>          __u8   EaNameLength;
>> -       char name[1];
>> +       char name[];
>>   } __packed; /* level 15 Query */
>>
>>   struct smb2_ea_info {
>> --
>> 2.46.0
>>
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ